Re: User Authentication: LDAP and "local" accounts concurrently ?

Bernd Lentes

> Am 23.11.2018 um 20:14 schrieb Stephen Frost <sfrost(at)snowman(dot)net>:
>
>
> With LDAP, the user's password will be seen by the PostgreSQL server,
> and sent over the wire in cleartext unless you're making sure to use TLS
> on the connection to PG (and if you're doing that you really want to
> make sure you have verify-full enabled on your clients....).
>
> With Kerberos/GSSAPI, the authentication tokens are encrypted by the KDC
> (in your case, the AD domain controllers) and the user's password is
> never exposed.
>
> Thanks!
>
> Stephen

I‘m Not sure wether my Clients speak TLS. I‘m afraid they don‘t.
But isn‘t then also the password transmitted in cleartext ? It must be transmitted from the client to the Pg Server, independent of using LDAP or Kerberos/GSSAPU.

Bernd

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDirig.in Petra Steiner-Hoffmann
Stellv.Aufsichtsratsvorsitzender: MinDirig. Dr. Manfred Wolter
Geschaeftsfuehrer: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Heinrich Bassler, Dr. rer. nat. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 12952167