From: | "Lars Kanis" <lars(at)greiz-reinsdorf(dot)de> |
---|---|
To: | Chris Travers <chris(dot)travers(at)gmail(dot)com> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: Using LDAP roles in PostgreSQL |
Date: | 2011-07-13 19:53:09 |
Message-ID: | 201107132153.09541.kanis@comcard.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hi Chris,
> I do have a question though. Does your application allow for creating
> only users and groups in part of the LDAP tree? Or does it have that
> possibility yet? Also can it be configured to ignore grants of
> specific Pg roles to users?
Yes, filters on both sides can be set and they can be different for users and
groups. The LDAP filter is according to RFC 2254 and the PG filter is plain SQL.
You may also collect all synchronized roles into a PG-group, so that you can
catch them easily. That's shown in https://github.com/larskanis/pg-ldap-
sync/blob/master/config/sample-config2.yaml
I just updated the README.txt according to your question.
> Just as an example of where I am going with this. One of my main
> projects (LedgerSMB) uses database roles to enforce permissions. One
> of the nice things is that password authentication could passed
> through to an LDAP server to provide SSO for an organization.
I use it together with Kerberos and with SSL-certificate authentication. Since
there are default privilegs in Postgres 9.0, it is practicable to use fine
graded privileges now.
> I plan
> to forward this announcement to the list there as well as a
> potentially useful tool. I figure it is worth noting this on the list
> because I can't imagine I am the only one doing this.
Yes, thanks. I could announce it too, in case the list is writeable for me.
--
Regards,
Lars Kanis
From | Date | Subject | |
---|---|---|---|
Next Message | Howard Cole | 2011-07-13 22:30:41 | Re: About permissions on large objects |
Previous Message | Giuseppe Sacco | 2011-07-13 19:15:58 | Re: About permissions on large objects |