From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | John McCawley <nospam(at)hardgeus(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Derrick Stensrud <dstensrud(at)worleyco(dot)com>, pgsql-general(at)postgresql(dot)org |
Subject: | Re: Anyone? Best way to authenticate postgres against |
Date: | 2006-12-19 20:06:50 |
Message-ID: | 4588465A.1080706@hagander.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Stephen Frost wrote:
> * John McCawley (nospam(at)hardgeus(dot)com) wrote:
>> (I am working on this project with Derrick.) We have to use the Active
>> Directory to authenticate not only users from our client-side app (We're
>> attempting to use PostgreSQL essentially as a proxy authentication
>> mechanism), but also for connections to the SFTP server, and finally our
>> web app. Rather than doing three separate binding mechanisms, we wanted
>> to do the PAM/AD work once, and then have everything else defer to PAM
>> for authentication.
Ok. That certainly makes sense. Just that I can't help you then :-)
> Have you considered using Kerberos to auth against AD instead of trying
> to use LDAP binding? If you still want to use PAM then you might check
> out libpam-krb5, which from a bit of googling appears to work w/ AD
> Kerberos. Of course, an alternative might be to try using the native
> Kerberos support in Postgres which I've heard may work w/ the Postgres
> ODBC driver...
The native one works very well with the ODBC driver, and should work
with anything based off libpq. Which means anything that's not Java or
.NET, I think.
> Personally, I've gotten the Postgres ODBC driver working under windows
> with MIT Kerberos and I've gotten Firefox under Windows working w/ MIT
> Kerberos and using negotiate with Apache2 to authenticate users of
> PhpPgAdmin to Postgres. I'm pretty sure all of this is possible with AD
> instead of MIT Kerberos, or possibly even through a cross-realm setup.
It works with AD on the server side, you still need to install MIT
Kerberos on the client.
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | Tony Caduto | 2006-12-19 20:06:57 | Re: Creating an Independant Application |
Previous Message | Glen Parker | 2006-12-19 19:49:55 | Re: Second attempt, roll your own autovacuum |