Re: Lock Postgres account after X number of failed logins? - Mailing list pgsql-general

From Stephen Frost
Subject Re: Lock Postgres account after X number of failed logins?
Date
Msg-id 20200507151424.GB13712@tamriel.snowman.net
Whole thread Raw
In response to Re: Lock Postgres account after X number of failed logins?  (Geoff Winkless <pgsqladmin@geoff.dj>)
List pgsql-general
Greetings,

* Geoff Winkless (pgsqladmin@geoff.dj) wrote:
> On Wed, 6 May 2020, 14:28 Stephen Frost, <sfrost@snowman.net> wrote:
> > * Geoff Winkless (pgsqladmin@geoff.dj) wrote:
> > > On Wed, 6 May 2020 at 00:05, Tim Cross <theophilusx@gmail.com> wrote:
> > > > Where Tom's solution fails is with smaller companies that cannot afford
> > > > this level of infrastructure.
> > >
> > > Is there an objection to openldap?
> >
> > LDAP-based authentication in PG involves passing the user's password to
> > the database server in the clear (or tunneled through SSL, but that
> > doesn't help if the DB is compromised), so it's really not a good
> > solution
>
> If your DB is compromised then (if the LDAP server is only used for the db)
> what difference does it make to lose the passwords?

Seems rather unlikely to be reasonable to set up an LDAP server for
every independent DB, but if you really want to go down that route,
you're very likely to end up in the same situation- users will reuse
their password from their AD account (and/or somewhere else).

> I was (as per the thread) suggesting a simple way for small companies to
> achieve the OP's requirements without a large infrastructure investment and
> without involving the pg team undertaking the rediscovery of novel circular
> transportation-assisting devices.

The OP's comment was actually that they *have* AD in place, but there's
cases where they don't want to use AD for one reason or another.
Suggesting setting up another service like OpenLDAP seems unlikely to
really answer that, but who knows.

> Any large company will have an AD or similar setup already, clearly I'm not
> suggesting using it in that situation.

Except that's the case that was presented here- they have AD but they
don't want to use it for some subset of accounts.

> AIUI you can configure kerberos with openldap if that's more your thing,
> fwiw, but then IME the learning curve (and thus setup cost) increases
> exponentially.

Yes, you can set up OpenLDAP with Kerberos auth through SASL, you just
need an appropriate service princ from a KDC (eg: Active Directory, MIT
Kerberos, or Heimdal).  Isn't terribly hard, and is part of what's
called "LDAPv3", which is when SASL support was added (RFC 2251... from
1997).

I have to admit that I've not tried to make PG w/ 'ldap' auth use
Kerberos to connect to an LDAP server.  While it likely could be done,
in such a case you've already got a KDC and presumably would rather be
using Kerberos to auth to all of your services, including PG.

Thanks,

Stephen

Attachment

pgsql-general by date:

Previous
From: Mohamed Wael Khobalatte
Date:
Subject: Re: pg_restore V12 fails consistently against piped pg_dumps
Next
From: Stephen Frost
Date:
Subject: Re: New Role drop with Grant/Revokes stop working after subsequentruns