| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | "Lentes, Bernd" <bernd(dot)lentes(at)helmholtz-muenchen(dot)de> |
| Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: User Authentication: LDAP and "local" accounts concurrently ? |
| Date: | 2018-11-23 15:17:25 |
| Message-ID: | 20181123151725.GH3415@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Greetings,
* Lentes, Bernd (bernd(dot)lentes(at)helmholtz-muenchen(dot)de) wrote:
> i created a Postgres Server 9.6 on a SLES 12 SP3 box. In our institution we have a Windows ADS which i like to use to authenticate users via LDAP.
For running PostgreSQL in a Windows ADS environment, you should really
be using GSSAPI / Kerberos and *not* using LDAP authentication.
GSSAPI / Kerberos is what Windows uses to authenticate users and
services and it's much more secure than using LDAP.
> Is it possible to use both concurrently ? Some users autheticate via LDAP, others local.
As Tom mentioned, you can have two pg_hba.conf entries. For what you're
doing, it seems like maybe you would have a 'local user' group which
comes first in pg_hba.conf and is a role that all local users are a
member of, and then you could have a second entry that is 'all' users,
so you don't have to have every user in the active directory environment
in a group in the database.
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Lentes, Bernd | 2018-11-23 18:57:13 | Re: User Authentication: LDAP and "local" accounts concurrently ? |
| Previous Message | Achilleas Mantzios | 2018-11-23 14:56:55 | Re: Logical replication monitoring |