Re: Using LDAP roles in PostgreSQL

From: "Lars Kanis" <lars(at)greiz-reinsdorf(dot)de>
To: Chris Travers <chris(dot)travers(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Using LDAP roles in PostgreSQL
Date: 2011-07-13 19:53:09
Message-ID: 201107132153.09541.kanis@comcard.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general


Hi Chris,

> I do have a question though. Does your application allow for creating
> only users and groups in part of the LDAP tree? Or does it have that
> possibility yet? Also can it be configured to ignore grants of
> specific Pg roles to users?
Yes, filters on both sides can be set and they can be different for users and
groups. The LDAP filter is according to RFC 2254 and the PG filter is plain SQL.
You may also collect all synchronized roles into a PG-group, so that you can
catch them easily. That's shown in https://github.com/larskanis/pg-ldap-
sync/blob/master/config/sample-config2.yaml

I just updated the README.txt according to your question.

> Just as an example of where I am going with this. One of my main
> projects (LedgerSMB) uses database roles to enforce permissions. One
> of the nice things is that password authentication could passed
> through to an LDAP server to provide SSO for an organization.
I use it together with Kerberos and with SSL-certificate authentication. Since
there are default privilegs in Postgres 9.0, it is practicable to use fine
graded privileges now.

> I plan
> to forward this announcement to the list there as well as a
> potentially useful tool. I figure it is worth noting this on the list
> because I can't imagine I am the only one doing this.

Yes, thanks. I could announce it too, in case the list is writeable for me.

--
Regards,
Lars Kanis

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Howard Cole 2011-07-13 22:30:41 Re: About permissions on large objects
Previous Message Giuseppe Sacco 2011-07-13 19:15:58 Re: About permissions on large objects