From: | "Lentes, Bernd" <bernd(dot)lentes(at)helmholtz-muenchen(dot)de> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | pgsql-admin <pgsql-admin(at)lists(dot)postgresql(dot)org> |
Subject: | Re: User Authentication: LDAP and "local" accounts concurrently ? |
Date: | 2018-11-23 21:38:35 |
Message-ID: | 33999F41-3B4A-46D3-BB18-531CF8662C0E@helmholtz-muenchen.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
Bernd Lentes
> Am 23.11.2018 um 20:14 schrieb Stephen Frost <sfrost(at)snowman(dot)net>:
>
>
> With LDAP, the user's password will be seen by the PostgreSQL server,
> and sent over the wire in cleartext unless you're making sure to use TLS
> on the connection to PG (and if you're doing that you really want to
> make sure you have verify-full enabled on your clients....).
>
> With Kerberos/GSSAPI, the authentication tokens are encrypted by the KDC
> (in your case, the AD domain controllers) and the user's password is
> never exposed.
>
> Thanks!
>
> Stephen
I‘m Not sure wether my Clients speak TLS. I‘m afraid they don‘t.
But isn‘t then also the password transmitted in cleartext ? It must be transmitted from the client to the Pg Server, independent of using LDAP or Kerberos/GSSAPU.
Bernd
Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDirig.in Petra Steiner-Hoffmann
Stellv.Aufsichtsratsvorsitzender: MinDirig. Dr. Manfred Wolter
Geschaeftsfuehrer: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Heinrich Bassler, Dr. rer. nat. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 12952167
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2018-11-23 21:44:23 | Re: User Authentication: LDAP and "local" accounts concurrently ? |
Previous Message | Stephen Frost | 2018-11-23 19:14:13 | Re: User Authentication: LDAP and "local" accounts concurrently ? |