| From: | Paul Förster <paul(dot)foerster(at)gmail(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | "pgsql-general(at)postgresql(dot)org >> PG-General Mailing List" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Using more than one LDAP? |
| Date: | 2021-01-07 09:40:46 |
| Message-ID: | CC9B3338-9972-4210-893C-895DDC7D5E8C@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi Magnus,
> On 06. Jan, 2021, at 16:57, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>
> Yes. But you have a really hacky environment :P
actually not. We have an old LDAP which we want to retire this year. And we also have Windows AD, which offers LDAP. So the idea is to switch the LDAP environments in PostgreSQL. The old LDAP uses aaa-u1, aaa-u2, etc. which are also accounts in the database. But our Windows AD has bbb-u1, bbb-u2, etc. So just switching LDAPs doesn't work. I'd also have to rename all users. Though it's just a one-liner, it would mean that users have to use their new names from one second to the next. But we want a transition phase if that's possible.
> You could have a third LDAP instance that federates the other two.
>
> Another option could be to proxy it through something like FreeRADIUS.
> I'm fairly certain it can also move on to a secondary server if the
> first one reports login failure.
I can't. I'm no sysadmin and have no rights on systems to install anything except the PostgreSQL software. Also, the network guys wouldn't be too happy. And then, there is a problem introducing new software, which is possible, but can take months for us to get the necessary permissions.
> I assume you're not using any of the standard packagings then, as I
> believe they all come with support for GSSAPI. Yet another reason why
> it's a good idea to use that :)
no, we always compile from source and only what we need. I can build packages with GSSAPI compiled into it but it does require me do have a small service interruption if I install packages with the same PostgreSQL version number, a situation, which I'd like to avoid, if possible.
> And no, gssapi does not use certificates.
that's good news as I'm not really happy about all that certificate stuff. ;-)
> pg_ident only works for authentication methods where the username
> comes from the other system, such as with Kerberos. It does not work
> for LDAP, where the username is specified in PostgreSQL.
I don' understand that. The doc says it should work for all external authentication services. Maybe I misread something?...
Cheers,
Paul
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Paul Förster | 2021-01-07 09:45:31 | Re: LDAP(s) doc misleading |
| Previous Message | Rob Northcott | 2021-01-07 09:24:57 | RE: Keep needing to run manual analyze |