| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Rocco Kreutz <r(dot)kreutz(at)prodat-sql(dot)de> |
| Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Secure LDAP auth on windows machine inside domain |
| Date: | 2021-05-21 15:31:49 |
| Message-ID: | 20210521153149.GR20766@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Greetings,
* Rocco Kreutz (r(dot)kreutz(at)prodat-sql(dot)de) wrote:
> It must be LDAP, because the users need to use a shortened diffrent login,
> which is stored in ad
You can map users using pg_ident.conf, there's no need to use LDAP to
have a different login name in the database, and it's not secure to use
LDAP.
When LDAP is used, the user's credentials are seen by the server in the
clear (and there's not really anything you can do about that, it's the
nature of that auth method) and therefore if the DB server is
compromised then everyone's credentials who logs into the DB server will
also be compromised (TLS/SSL doesn't help because that only protects
traffic across the network).
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dirk Krautschick | 2021-05-21 23:49:29 | Experience with login_hook or any other solution for logon trigger |
| Previous Message | Rocco Kreutz | 2021-05-21 12:57:27 | Re: Secure LDAP auth on windows machine inside domain |