From: | Mark Cave-Ayland <mark(dot)cave-ayland(at)ilande(dot)co(dot)uk> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: More flexible LDAP auth search filters? |
Date: | 2017-07-17 05:38:34 |
Message-ID: | bee11e4a-ec12-bc90-4ba1-693a5f0b4321@ilande.co.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 17/07/17 00:14, Stephen Frost wrote:
>> If it helps, we normally recommend that clients use ldaps for both AD
>> and UNIX environments, although this can be trickier from an
>> administrative perspective in AD environments because it can require
>> changes to the Windows firewall and certificate installation.
>
> LDAPS is better than straight LDAP, of course, but it still doesn't
> address the issue that the password is sent to the server, which both
> SCRAM and Kerberos do and is why AD environments use Kerberos for
> authentication, and why everything in an AD environment also should use
> Kerberos.
>
> Using Kerberos should also avoid the need to hack the Windows firewall
> or deal with certificate installation. In an AD environment, it's
> actually pretty straight-forward to add a PG server too. Further, in my
> experience at least, there's been other changes recommended by Microsoft
> that prevent using LDAP for auth because it's insecure.
Oh sure - I'm not questioning that Kerberos is a far better choice in
pure AD environments, it's just that I spend the majority of my time in
mixed-mode environments where Windows is very much in the minority.
In my experience LDAP is often implemented badly; for example the
majority of software still uses simple binds (i.e. plain logins) rather
than using SASL binds which support a whole range of better
authentication methods (e.g. GSSAPI, and even DIGEST-MD5 has been
mandatory for v3 and is implemented on AD).
And yes, while better authentication mechanisms do exist, I find that
all too often most software packages claim LDAP support rather than
Kerberos, and even then it is often limited to LDAP simple binds without
ldaps support.
ATB,
Mark.
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2017-07-17 07:26:29 | Re: segfault in HEAD when too many nested functions call |
Previous Message | Neha Sharma | 2017-07-17 05:31:31 | PO # 0341 |