Re: LDAP(s) doc misleading

From: Paul Förster <paul(dot)foerster(at)gmail(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: "pgsql-general(at)postgresql(dot)org >> PG-General Mailing List" <pgsql-general(at)postgresql(dot)org>
Subject: Re: LDAP(s) doc misleading
Date: 2021-01-07 09:45:31
Message-ID: 882594BE-ED79-457B-8BAB-AF98ABD46FF7@gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hi Stephen,

> On 06. Jan, 2021, at 18:14, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>
> When in an Active Directory environment, it's far more secure to use
> Kerberos/GSSAPI and not LDAP (or LDAPS). Using the ldap authentication
> method with PostgreSQL will result in the credentials of users being
> sent to the database server, such that if the database server is
> compromised so will all of those user accounts.

I understand. But users can't login on the database server, just on the database. Database servers and client machines are located in different network zones with firewalls between them.

Also, my point was not about using LDAP(S) versus Kerberos or GSSAPI. My point was, that I find the description of the ldapscheme entry misleading.

Cheers,
Paul

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Magnus Hagander 2021-01-07 10:04:17 Re: LDAP(s) doc misleading
Previous Message Paul Förster 2021-01-07 09:40:46 Re: Using more than one LDAP?