| From: | Chris Travers <chris(dot)travers(at)gmail(dot)com> |
|---|---|
| To: | Jeremy Palmer <JPalmer(at)linz(dot)govt(dot)nz> |
| Cc: | "SUNDAY A(dot) OLUTAYO" <olutayo(at)sadeeb(dot)com>, Craig Ringer <ringerc(at)ringerc(dot)id(dot)au>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Windows SIngle Sign On - LINUX Server |
| Date: | 2012-08-25 09:34:18 |
| Message-ID: | CAKt_Zfu3_KL2T-hEFJEnJwzeijBpSjK6zF-HyeNPsMpxZ9Uxnw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Aug 24, 2012 at 1:29 PM, Jeremy Palmer <JPalmer(at)linz(dot)govt(dot)nz> wrote:
> Marcus' guide looks great.
>
> So what's the pros/cons of using the Kerberos via GSSAPI method, rather
> than going for the SingleSignOn method mentioned by Sunday?
>
> Cons:
More complicated to set up.
There are a few odd things about AD and Kerberos that take some getting
used to. For example iirc, systems get keys rather than services, so your
keytab ends up showing identical keys for every service on a machine
Pros:
Far more secure
True single-sign-on (users do not have to enter passwords).
Unlike LDAP does not require degrading DC security.
I would honestly go with GSSAPI.
It's not quite the same thing but a paper I wrote (published by Microsoft!)
is likely to be helpful here:
The paper discusses using kerberized authentication for OpenSSH against AD.
In principle, PostgreSQL should be relatively similar. The paper may be
of help here.
Best Wishes,
Chris Travers
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Edson Richter | 2012-08-25 12:56:38 | Re: Postgresql 9.1 on VMWare ESXi 5.0 |
| Previous Message | Jukka Inkeri | 2012-08-25 09:19:09 | Permission denied for relation pg_database , one role has problem |