| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | chlor <hans(dot)schou(at)gmail(dot)com> |
| Cc: | pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: LDAP, single sign on from Windows client |
| Date: | 2021-04-06 15:59:19 |
| Message-ID: | 20210406155919.GD20766@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Greetings,
* chlor (hans(dot)schou(at)gmail(dot)com) wrote:
> I have a Linux server which is setup with authentication via LDAP against a
> Windows A/D. In pg_hba I have
> host ... ldap ldapserver=example.org ldapprefix="" ldapsuffix="@example.org"
>
> The user is also created in PostgreSQL but without a password.
> I can then login with psql from a Windows client with a user defined in the
> AD.
>
> But the problem is that psql asks for a password.
> Is it possible to make a single sign-on without the password prompt?
Yes, use GSSAPI based authentication instead of LDAP. Using GSSAPI is
also more secure and avoids sending the user's password to the PG
server.
PG Docs: https://www.postgresql.org/docs/current/gssapi-auth.html
Blog I wrote about setting it up:
https://blog.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jehan-Guillaume de Rorthais | 2021-04-06 16:01:09 | Re: MultiXactId wraparound and last aggressive vacuum time |
| Previous Message | Jehan-Guillaume de Rorthais | 2021-04-06 15:46:32 | Re: questions about wraparound |