Stephen Frost wrote: > * John McCawley (nospam@xxxxxxxxxxxx) wrote: >> (I am working on this project with Derrick.) We have to use the Active >> Directory to authenticate not only users from our client-side app (We're >> attempting to use PostgreSQL essentially as a proxy authentication >> mechanism), but also for connections to the SFTP server, and finally our >> web app. Rather than doing three separate binding mechanisms, we wanted >> to do the PAM/AD work once, and then have everything else defer to PAM >> for authentication. Ok. That certainly makes sense. Just that I can't help you then :-) > Have you considered using Kerberos to auth against AD instead of trying > to use LDAP binding? If you still want to use PAM then you might check > out libpam-krb5, which from a bit of googling appears to work w/ AD > Kerberos. Of course, an alternative might be to try using the native > Kerberos support in Postgres which I've heard may work w/ the Postgres > ODBC driver... The native one works very well with the ODBC driver, and should work with anything based off libpq. Which means anything that's not Java or .NET, I think. > Personally, I've gotten the Postgres ODBC driver working under windows > with MIT Kerberos and I've gotten Firefox under Windows working w/ MIT > Kerberos and using negotiate with Apache2 to authenticate users of > PhpPgAdmin to Postgres. I'm pretty sure all of this is possible with AD > instead of MIT Kerberos, or possibly even through a cross-realm setup. It works with AD on the server side, you still need to install MIT Kerberos on the client. //Magnus
