Re: Anyone? Best way to authenticate postgres against

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: John McCawley <nospam(at)hardgeus(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Derrick Stensrud <dstensrud(at)worleyco(dot)com>, pgsql-general(at)postgresql(dot)org
Subject: Re: Anyone? Best way to authenticate postgres against
Date: 2006-12-19 20:06:50
Message-ID: 4588465A.1080706@hagander.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Stephen Frost wrote:
> * John McCawley (nospam(at)hardgeus(dot)com) wrote:
>> (I am working on this project with Derrick.) We have to use the Active
>> Directory to authenticate not only users from our client-side app (We're
>> attempting to use PostgreSQL essentially as a proxy authentication
>> mechanism), but also for connections to the SFTP server, and finally our
>> web app. Rather than doing three separate binding mechanisms, we wanted
>> to do the PAM/AD work once, and then have everything else defer to PAM
>> for authentication.

Ok. That certainly makes sense. Just that I can't help you then :-)

> Have you considered using Kerberos to auth against AD instead of trying
> to use LDAP binding? If you still want to use PAM then you might check
> out libpam-krb5, which from a bit of googling appears to work w/ AD
> Kerberos. Of course, an alternative might be to try using the native
> Kerberos support in Postgres which I've heard may work w/ the Postgres
> ODBC driver...

The native one works very well with the ODBC driver, and should work
with anything based off libpq. Which means anything that's not Java or
.NET, I think.

> Personally, I've gotten the Postgres ODBC driver working under windows
> with MIT Kerberos and I've gotten Firefox under Windows working w/ MIT
> Kerberos and using negotiate with Apache2 to authenticate users of
> PhpPgAdmin to Postgres. I'm pretty sure all of this is possible with AD
> instead of MIT Kerberos, or possibly even through a cross-realm setup.

It works with AD on the server side, you still need to install MIT
Kerberos on the client.

//Magnus

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tony Caduto 2006-12-19 20:06:57 Re: Creating an Independant Application
Previous Message Glen Parker 2006-12-19 19:49:55 Re: Second attempt, roll your own autovacuum