On Wed, Aug 5, 2009 at 18:47, Michael Gould<mgould@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > I am wondering how others handle the login situation. We use Active > Directory and require our users to change their passwords every 30 days. > Currently in our old system using SQL Anywhere we use the integrated login > feature. Our db server is Windows 2003 R2 > > I believe we can mimic this in Postgres. You can do this as well with PostgreSQL using SSPI or GSSAPI (depending on your client platforms) > What are peoples feelings about using passwords in Postgres in this > situation? We know that only people authenticated to access our servers are > actually getting logged in. All of our users must login through Citrix and > access our system via our Citrix web page login. > > We I do not believe we can capture the password from Active Directory that > the user types so I really do not want to use a password on the Postgres > side. We do have application level security also which only allows certain > users (same as the login id) access to the allowed area's within the system > and only at the level of access prescribed within the system. No, I'd definitely avoid that. If you use LDAP, you don't need to capture the passwords. Just create the accounts without passwords, and PostgreSQL will ask the AD server for the login. Or if you use SSPI or GSSAPI, you will get a fully integrated login. > What are others thoughts on this. With SQL Anywhere if you are using > integrated logins, you need to enter a password when the account is first > defined to the database but it is bypassed from that point forward unless > you remove their access to use integrated logins. Um, ok, Ih ave to take that back. So SQL Anywhere is basically "store the password in a file on the client" then? You can use a .pgpass file for that, and just add something to your application that will prompt for the password and add it to the file when the app starts. pgAdmin does it this way. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general