Search Postgresql Archives

Re: Password complexity/history - credcheck?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2024-06-23 at 14:14 +0100, Martin Goodson wrote:
> On 23/06/2024 11:49, Christoph Moench-Tegeder wrote:
> > My advice would be to not use secrets stored in the database -
> > that is, do not use scram-sha-256 - but use an external authentication
> > system, like Kerberos (might be AD) or LDAP (might also be AD) and have
> > that managed by the security team: that way all these compliance
> 
> Crikey, that would be  quite a lot of  lot of SSL/TLS to set up. We have quite a
> few (massive understatement :( ... ) PostgreSQL database clusters spread over 
> quite a lot (another understatement) of VMs.
> 
> The last time I suggested LDAP there was a lot of enthusiasm ... until they went
> down and looked at what might have to be done, after which it all became very quiet ...

Yes, LDAP is not perfect for that - for one, every connection to the database would
also hit the LDAP server.

Kerberos or certificate authentication is probably better.

For many PostgreSQL clusters and clients, that might be a lot of work.
But not all your PostgreSQL databases will contain equally sensitive data.
You could start with the important ones, try to automatize as much as possible,
and roll out the changes over time.

Yours,
Laurenz Albe






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux