Re: Using more than one LDAP?

From: Paul Förster <paul(dot)foerster(at)gmail(dot)com>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: "pgsql-general(at)postgresql(dot)org >> PG-General Mailing List" <pgsql-general(at)postgresql(dot)org>
Subject: Re: Using more than one LDAP?
Date: 2021-01-07 09:40:46
Message-ID: CC9B3338-9972-4210-893C-895DDC7D5E8C@gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hi Magnus,

> On 06. Jan, 2021, at 16:57, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>
> Yes. But you have a really hacky environment :P

actually not. We have an old LDAP which we want to retire this year. And we also have Windows AD, which offers LDAP. So the idea is to switch the LDAP environments in PostgreSQL. The old LDAP uses aaa-u1, aaa-u2, etc. which are also accounts in the database. But our Windows AD has bbb-u1, bbb-u2, etc. So just switching LDAPs doesn't work. I'd also have to rename all users. Though it's just a one-liner, it would mean that users have to use their new names from one second to the next. But we want a transition phase if that's possible.

> You could have a third LDAP instance that federates the other two.
>
> Another option could be to proxy it through something like FreeRADIUS.
> I'm fairly certain it can also move on to a secondary server if the
> first one reports login failure.

I can't. I'm no sysadmin and have no rights on systems to install anything except the PostgreSQL software. Also, the network guys wouldn't be too happy. And then, there is a problem introducing new software, which is possible, but can take months for us to get the necessary permissions.

> I assume you're not using any of the standard packagings then, as I
> believe they all come with support for GSSAPI. Yet another reason why
> it's a good idea to use that :)

no, we always compile from source and only what we need. I can build packages with GSSAPI compiled into it but it does require me do have a small service interruption if I install packages with the same PostgreSQL version number, a situation, which I'd like to avoid, if possible.

> And no, gssapi does not use certificates.

that's good news as I'm not really happy about all that certificate stuff. ;-)

> pg_ident only works for authentication methods where the username
> comes from the other system, such as with Kerberos. It does not work
> for LDAP, where the username is specified in PostgreSQL.

I don' understand that. The doc says it should work for all external authentication services. Maybe I misread something?...

Cheers,
Paul

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Paul Förster 2021-01-07 09:45:31 Re: LDAP(s) doc misleading
Previous Message Rob Northcott 2021-01-07 09:24:57 RE: Keep needing to run manual analyze