| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Diego <mrstephenamell(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: pg_hba & ldap |
| Date: | 2019-10-22 12:43:34 |
| Message-ID: | 20191022124334.GX6962@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-es-ayuda pgsql-general |
Greetings,
* Diego (mrstephenamell(at)gmail(dot)com) wrote:
> I have a problem with ldap authentication, I have a ldap string like this:
>
> host all all 0.0.0.0/0 ldap ldapserver="10.20.90.251
> 10.20.90.252 10.10.90.251 10.10.90.252" ldapport=389...
>
> It is correct? if the firs server is down, pg will go to the next one to
> continue authenticating?
Yes, that looks like it should work- is it not?
> It's a pg11 and ldap is an ipa server
Note that with an IPA setup, similar to if you were running Active
Directory, you have Kerberos and a KDC available, which is a much better
authentication mechanism that removes the need for the database sever to
reach out to another system to handle the authentication, and avoids
having the user's password sent to the database server. You might want
to consider using that (which is called 'gssapi' in PostgreSQL, which is
basically generalized Kerberos) instead of LDAP.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Carlos Martinez | 2019-10-24 16:16:15 | Caso interesante: recuperar BD solo con el directorio data/base |
| Previous Message | Diego | 2019-10-22 12:11:59 | pg_hba & ldap |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | stan | 2019-10-22 13:57:32 | FW: Re: A question about building pg-libphonenumber |
| Previous Message | Pavel Stehule | 2019-10-22 12:43:17 | Re: A question about building pg-libphonenumber |