| From: | "Keith G(dot) Murphy" <keithmur(at)mindspring(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | johnsw(at)wardbrook(dot)com, pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Best practice? Web application: single PostgreSQL |
| Date: | 2004-01-13 18:47:56 |
| Message-ID: | 40043D5C.30400@mindspring.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Tom Lane wrote:
> "Keith G. Murphy" <keithmur(at)mindspring(dot)com> writes:
>
>>Hmmm, mightn't it be kind of nice if there were PAM or krb5 maps in
>>addition to ident maps?
>
>
> ISTM the whole point of PAM is that you plug in your desired security
> policy outside of the application. You shouldn't be asking for more
> security frammishes from Postgres, you should be off coding a PAM module
> that does things exactly the way you want.
>
I believe I see what you mean. Given the original premise, I imagine
you could have the PAM module do something like:
(1) Authenticate via LDAP using the user's username and password
(2) Look up the "role" name (real PostgreSQL username) via LDAP, using
the username
(3) Tell PostsgreSQL that the user is authenticated under role name.
I really hadn't thought much about how the PAM module might work.
--
Why waste time learning when ignorance is instantaneous?
-- Hobbes
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Richard Huxton | 2004-01-13 18:48:23 | Re: Nested transaction - I am a bank ?? |
| Previous Message | Tom Lane | 2004-01-13 18:34:52 | Re: Pl/Perl speed |