Re: LDAP authentication slow

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: C GG <cgg0007(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: LDAP authentication slow
Date: 2018-05-30 16:04:51
Message-ID: 20180530160451.GS27724@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Greetings,

* C GG (cgg0007(at)gmail(dot)com) wrote:
> This is PostgreSQL 9.5 -- We just enabled LDAP(S) authentication (to an
> Active Directory server) for a certain grouping of users

You really shouldn't be using LDAP auth to an Active Directory system.
Active Directory supports Kerberos, which is a much more secure way to
authenticate.

> I'm getting complaints from the users authenticating using ldap that
> database operations are taking quite a bit longer than they were previously
> when they were authenticating with MD5 stored passwords. Clearly, there's
> more machinery at work with that kind of operation, but the increase in
> time is way more that I would have estimated.

Using Kerberos/GSSAPI will be much faster as you only need to get a
ticket and then that can be reused to authenticate multiple times to the
database without having to contact the LDAP server.

> I still want them to be able to type in a password, so GSSAPI is out for an
> alternative (right?) ... Is there something I can do to help speed things
> up? If there any telemetry that I can generate (logs, stats, etc.) which
> might be able to pinpoint a bottleneck?

What's the reason for wishing for them to "be able to type in a
password"? With GSSAPI/Kerberos, users get true single-sign-on, so they
would log into the Windows system with a password and then have a TGT
which can be used to authenticate to other services without having to
type in their password over and over again.

Thanks!

Stephen

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message C GG 2018-05-30 17:08:08 Re: LDAP authentication slow
Previous Message nageswara Bandla 2018-05-30 15:51:51 Re: Pgagent is not reading pgpass file either in Windows or Linux.