Greetings,
* Chris Stephens (cstephens16@gmail.com) wrote:
> yes, shortly after i sent this out to the list, one of our security
> administrators suggested ldapscheme. I just tested and ldapurl works as
> well.
>
> the security admin explained it like this:
>
> "since we are using port 636 I know that it needs the TLS connection in
> place before LDAP commands. starttls does the opposite. allows an LDAP
> connection to "upgrade" to TLS. so the previous errors were simply it
> unable to connect to server."
>
> i'm guessing information like that doesn't belong in postgresql
> documentation but it would have been useful yesterday. :)
Might be interesting to know if the security administrator also
understands that the way ldap-based auth works (at least in PG) is that
the user's password is sent to the PG server where it could potentially
be hijacked if the PG server is compromised..
If you're in an active directory environment, you really should be using
the 'gss' method instead, which is Kerberos underneath and avoids that
issue.
> thanks for the response! i just recently made the switch to postgresql
> after 20 years of mainly Oracle. during that time, the oracle-l mailing
> list was invaluable as a learning tool and as a way to get help
> when needed. it's great to know there's a similar mailing list in the
> postgresql community!
You're certainly welcome here! One thing to mention is that, as you may
have noticed, we communicate on these lists by responding in-line rather
than 'top-posting', since it makes things easier for everyone else on
the list to follow.
Thanks, and welcome!
Stephen
