* u235sentinel (u235sentinel@gmail.com) wrote:
> We would have to rebuild the binaries and we're already heavily using
> the database. I could rebuild it again but it's like the fourth time
> I've been asked to add a feature. I did read that GSSAPI was the way to
> go but I'm being told to try using LDAP instead. I don't have a lot of
> experience with either but I'll be able to figure it out I think :-)
Perhaps you should look at how the package managers under Debian or
RedHat build PG and turn on a similar set of options.. They typically
try to turn on everything possible and when they have to make choices
they go with what would be appropriate for most. That would probably
reduce the amount of rebuilding you need to do.. Or you could just use
packages to begin with and probably would have avoided this entirely. :)
Using LDAP to do pass-thru auth is really horrid when Kerberos is
available, if you ask me. It's also alot more fragile and will cause
problems when users change their passwords and they have them stored in
things like ODBC settings, etc. With LDAP auth, users still have to
provide their password to the database server which then turns around
and tries to use the users' credentials to bind to the LDAP directory.
You'll also really want to make sure you're doing SSL for your database
connections and SSL on your LDAP connections.
Thanks,
Stephen