| From: | Paul Förster <paul(dot)foerster(at)gmail(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | "pgsql-general(at)postgresql(dot)org >> PG-General Mailing List" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: LDAP(s) doc misleading |
| Date: | 2021-01-07 09:45:31 |
| Message-ID: | 882594BE-ED79-457B-8BAB-AF98ABD46FF7@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi Stephen,
> On 06. Jan, 2021, at 18:14, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>
> When in an Active Directory environment, it's far more secure to use
> Kerberos/GSSAPI and not LDAP (or LDAPS). Using the ldap authentication
> method with PostgreSQL will result in the credentials of users being
> sent to the database server, such that if the database server is
> compromised so will all of those user accounts.
I understand. But users can't login on the database server, just on the database. Database servers and client machines are located in different network zones with firewalls between them.
Also, my point was not about using LDAP(S) versus Kerberos or GSSAPI. My point was, that I find the description of the ldapscheme entry misleading.
Cheers,
Paul
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2021-01-07 10:04:17 | Re: LDAP(s) doc misleading |
| Previous Message | Paul Förster | 2021-01-07 09:40:46 | Re: Using more than one LDAP? |