Re: LDAP using Active Directory

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Michael Gould <mgould(at)intermodalsoftwaresolutions(dot)net>
Cc: Postgres General Postgres General <pgsql-general(at)postgresql(dot)org>
Subject: Re: LDAP using Active Directory
Date: 2009-08-06 07:23:34
Message-ID: 9837222c0908060023r507b522dx9a7631a4190e0f5d@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Wed, Aug 5, 2009 at 18:47, Michael
Gould<mgould(at)intermodalsoftwaresolutions(dot)net> wrote:
>
> I am wondering how others handle the login situation.  We use Active
> Directory and require our users to change their passwords every 30 days.
> Currently in our old system using SQL Anywhere we use the integrated login
> feature.  Our db server is Windows 2003 R2
>
> I believe we can mimic this in Postgres.

You can do this as well with PostgreSQL using SSPI or GSSAPI
(depending on your client platforms)

> What are peoples feelings about using passwords in Postgres in this
> situation? We know that only people authenticated to access our servers are
> actually getting logged in.  All of our users must login through Citrix and
> access our system via our Citrix web page login.
>
> We I do not believe we can capture the password from Active Directory that
> the user types so I really do not want to use a password on the Postgres
> side.  We do have application level security also which only allows certain
> users (same as the login id) access to the allowed area's within the system
> and only at the level of access prescribed within the system.

No, I'd definitely avoid that. If you use LDAP, you don't need to
capture the passwords. Just create the accounts without passwords, and
PostgreSQL will ask the AD server for the login. Or if you use SSPI or
GSSAPI, you will get a fully integrated login.

> What are others thoughts on this. With SQL Anywhere if you are using
> integrated logins, you need to enter a password when the account is first
> defined to the database but it is bypassed from that point forward unless
> you remove their access to use integrated logins.

Um, ok, Ih ave to take that back. So SQL Anywhere is basically "store
the password in a file on the client" then? You can use a .pgpass file
for that, and just add something to your application that will prompt
for the password and add it to the file when the app starts. pgAdmin
does it this way.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Richard Huxton 2009-08-06 08:10:22 Re: PostGres Config to Authenticate against AD over LDAP
Previous Message sweta 2009-08-06 05:54:23 Re: Sequence Not created with pg_dump