| From: | Holger Jakobs <holger(at)jakobs(dot)com> |
|---|---|
| To: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Cc: | bernd(dot)lentes(at)helmholtz-muenchen(dot)de |
| Subject: | Re: Update "usename" in pg_user |
| Date: | 2023-11-14 14:51:53 |
| Message-ID: | 6d800f7b-47e3-08e1-2a9e-0cd561af64cd@jakobs.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Am 14.11.23 um 13:56 schrieb Bernd Lentes:
> Hi,
>
> the last time i wrote a SQL command is about 20 years ago.
> So I'm asking for your advice.
> I have a DB which is accessed by ~ 40 users.
> The users are in pg_user and authenticated with LDAP.
There have been several warnings on this list about using LDAP for
authentication.
I quote one of them:
PostgreSQL supports GSSAPI / Kerberos, which is a much better
approach in Active Directory and other environments where Kerberos
is deployed.
Using LDAP exposes the user's password to the database server and
therefore isn't secure and should be strongly discouraged.
You can certainly have applications authenticate to PostgreSQL using
Kerberos too with very little overhead (unlike PG's LDAP
authentication option, which makes a synchronous call out to the
LDAP server on each and every login).
If you insist on using LDAP, you might use the regexp feature to extract
the username from the complete mail address. Only if the same user name
with different server parts (after the @) exist, you'll have to change
your user names.
Quoted user names are very much unloved.
Regards,
Holgr
> --
> Holger Jakobs, PostgreSQL Expert and Trainer, Bergisch Gladbach, Tel. +49-178-9759012
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ron | 2023-11-14 14:57:11 | Re: Update "usename" in pg_user |
| Previous Message | Dischner, Anton | 2023-11-14 14:38:57 | Re: Update "usename" in pg_user |