| From: | Benedict Holland <benedict(dot)m(dot)holland(at)gmail(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Bjørn T Johansen <btj(at)havleik(dot)no>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Authentication? |
| Date: | 2018-03-07 15:36:21 |
| Message-ID: | CAD+mzoyzp5xwPf0Nq=TLCs9T5DJTJPPonVAWVR_XjRFvBTxaUA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Not to get off topic, can you authenticate database users via Kerberos?
Thanks,
~Ben
On Wed, Mar 7, 2018 at 10:19 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> Greetings,
>
> * Bjørn T Johansen (btj(at)havleik(dot)no) wrote:
> > Is it possible to use one authentication method as default, like LDAP,
> and if the user is not found, then try to authenticate using
> > md5/scram-sha-256 ?
>
> Not directly in pg_hba.conf. You might be able to construct a system
> which works like this using PAM though, but it wouldn't be much fun.
>
> LDAP use really should be discouraged as it involves sending the
> password to the PG server. If you are operating in an active directory
> environment then you should be using GSSAPI/Kerberos.
>
> SCRAM is a good alternative as it doesn't send the password to the
> server either, though that is only available in PG10, of course.
>
> Thanks!
>
> Stephen
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2018-03-07 15:40:40 | Re: Authentication? |
| Previous Message | Scott Frazer | 2018-03-07 15:21:51 | Re: Help troubleshooting SubtransControlLock problems |