| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | John McCawley <nospam(at)hardgeus(dot)com> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Derrick Stensrud <dstensrud(at)worleyco(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Anyone? Best way to authenticate postgres against |
| Date: | 2006-12-19 16:30:28 |
| Message-ID: | 20061219163028.GC24675@kenobi.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
* John McCawley (nospam(at)hardgeus(dot)com) wrote:
> (I am working on this project with Derrick.) We have to use the Active
> Directory to authenticate not only users from our client-side app (We're
> attempting to use PostgreSQL essentially as a proxy authentication
> mechanism), but also for connections to the SFTP server, and finally our
> web app. Rather than doing three separate binding mechanisms, we wanted
> to do the PAM/AD work once, and then have everything else defer to PAM
> for authentication.
Have you considered using Kerberos to auth against AD instead of trying
to use LDAP binding? If you still want to use PAM then you might check
out libpam-krb5, which from a bit of googling appears to work w/ AD
Kerberos. Of course, an alternative might be to try using the native
Kerberos support in Postgres which I've heard may work w/ the Postgres
ODBC driver...
Personally, I've gotten the Postgres ODBC driver working under windows
with MIT Kerberos and I've gotten Firefox under Windows working w/ MIT
Kerberos and using negotiate with Apache2 to authenticate users of
PhpPgAdmin to Postgres. I'm pretty sure all of this is possible with AD
instead of MIT Kerberos, or possibly even through a cross-realm setup.
Thanks,
Stephen
> Magnus Hagander wrote:
>
> >On Tue, Dec 19, 2006 at 09:52:58AM -0600, Derrick Stensrud wrote:
> >
> >
> >>Thanks I've been trying to use pam_ldap but I keep getting this error
> >>from postgres. I think it may have something to do with postgres
> >>running as the postgres user and not having permissions to something,
> >>but I have no idea what.
> >>
> >>
> >
> >Probably. Can you try the native LDAP authentication? If not, I'll have
> >to defer to someone who knows PAM.
> >
> >//Magnus
> >
> >---------------------------(end of broadcast)---------------------------
> >TIP 6: explain analyze is your friend
> >
> >
>
> ---------------------------(end of broadcast)---------------------------
> TIP 9: In versions below 8.0, the planner will ignore your desire to
> choose an index scan if your joining column's datatypes do not
> match
| From | Date | Subject | |
|---|---|---|---|
| Next Message | BigSmoke | 2006-12-19 16:32:27 | Re: Savepoints in PL/pgSQL |
| Previous Message | Gurjeet Singh | 2006-12-19 16:26:45 | Re: Let's play bash the search engine |