Re: Using LDAP for authorization

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Magnus Hagander <mha(at)sollentuna(dot)net>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Using LDAP for authorization
Date: 2005-05-02 14:41:42
Message-ID: 20050502144142.GV27470@ns.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

* Magnus Hagander (mha(at)sollentuna(dot)net) wrote:
> I want to pull authorization information from LDAP for my PostgreSQL
> database. I use kerberos for authentication, so I do *not* want to use
> LDAP for authentication. I want to pull group membership from LDAP and
> match it to the kerberos-provisded usernames. Preferrably the users
> should be auto-created if needed, but the groups are created by the
> admin (users shuold only be autocreated if they are members of these
> groups, of course).

Kind of a neat idea, but...

> I see two ways of doing this:
> 1) Have an external process that syncs database users and groups to the
> LDAP directory. I have no need for "instant updates" (if a new user is
> added, it's Ok if it takes an hour or so before he can log in to the
> database). Does somebody know of a tool that does this already?

I don't know of a tool that does it already but it doesn't sound too
difficult to do, honestly.

> 2) Somehow have this functionality in the backend authorization code -
> "native support for LDAP groups". Those who have digged around those
> parts of the code, is this something that seems reasonable to do? Is it
> something we'd want in the backend at all?

The user/group system is having something of an overhaul at the moment.
Basically I'm working on implementing roles. I think the problem at the
moment is that Postgres has no system in place for checking user or
group information externally/dynamically during operation really.
There's some support in the authentication code for checking external
sources (Kerberos, PAM, etc) for users. Once you're connected and
authenticated though, all of the user information, group information,
access controls, etc, are done using Postgres' 'system cache' and the
system tables/indexes. Changing that would require quite a bit of
effort...

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Merlin Moncure 2005-05-02 14:57:29 Re: pg_locks needs a facelift
Previous Message Tom Lane 2005-05-02 14:38:39 Re: How to make lazy VACUUM of one table run in several transactions ?