Greetings,
* Paul Förster (paul.foerster@gmail.com) wrote:
> Ok, since LDAP doesn't work that way, I either need to build GSSAPI packages and have the AD admins to provide me
withthe keytab file or make the transition a "hard" one, i.e. no transition phase. Though I'd rather have liked to see
atransition phase where either account could have been used I personally can live with that. It's the developers who
willhave to change quickly, not me. ;-)
Done correctly, the developers will hopefully be going from "this stupid
thing prompts me to provide a username/password in order to log in" to
"no more prompt for logging in, it just *works*". Further, as Magnus
explained, you could actually have the mapping to allow user X to log in
by providing GSSAPI credentials Y, if they are actually still going to
be including some username in their connection request to PG (even
though they shouldn't need to, since it'll be the same between their
local Windows/AD login and the GSSAPI user that PG will see). You
should be able to make both work concurrently thanks to pg_ident.conf.
Thanks,
Stephen
