Greetings,
* Rocco Kreutz (r(dot)kreutz(at)prodat-sql(dot)de) wrote:
> It must be LDAP, because the users need to use a shortened diffrent login,
> which is stored in ad
You can map users using pg_ident.conf, there's no need to use LDAP to
have a different login name in the database, and it's not secure to use
LDAP.
When LDAP is used, the user's credentials are seen by the server in the
clear (and there's not really anything you can do about that, it's the
nature of that auth method) and therefore if the DB server is
compromised then everyone's credentials who logs into the DB server will
also be compromised (TLS/SSL doesn't help because that only protects
traffic across the network).
Thanks,
Stephen