From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Holger Jakobs <holger(at)jakobs(dot)com> |
Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
Subject: | Re: Use AD-account as login into Postgres. |
Date: | 2024-02-22 17:48:40 |
Message-ID: | ZdeI+DoZ97jRUXv/@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
Greetings,
* Holger Jakobs (holger(at)jakobs(dot)com) wrote:
> SSPI using AD accounts for authentication works only in a complete Windows
> environment. The client and the server machine have to be member of the same
> AD environment, which isn't possible for non-Windows machines. Otherwise,
> there is no trust between the machines.
This isn't accurate- you can certainly have cross-realm trust between
Windows and non-Windows realms and you can also have non-Windows systems
joined to a Windows realm. On the Windows systems, this uses SSPI, and
on the non-Windows systems it uses GSSAPI, but the two are compatible
and will work with each other just fine for authentication.
> An automatic creation of PostgreSQL roles from AD accounts has to be done
> outside PostgreSQL, i. e. by a script running regularly.
This is accurate, thoguh there are tools out there to do this for you,
such as: https://github.com/larskanis/pg-ldap-sync
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2024-02-22 17:50:53 | Re: Backup and Recovery related |
Previous Message | Rajesh Kumar | 2024-02-22 13:43:17 | Connections spike |