Home > mailing lists

Re: Secure LDAP auth on windows machine inside domain - Mailing list pgsql-admin

From	Stephen Frost
Subject	Re: Secure LDAP auth on windows machine inside domain
Date	May 21, 2021 18:31:49
Msg-id	20210521153149.GR20766@tamriel.snowman.net Whole thread Raw
In response to	Re: Secure LDAP auth on windows machine inside domain (Rocco Kreutz <r.kreutz@prodat-sql.de>)
Responses	Re: Secure LDAP auth on windows machine inside domain
List	pgsql-admin

Tree view

Greetings,

* Rocco Kreutz (r.kreutz@prodat-sql.de) wrote:
> It must be LDAP, because the users need to use a shortened diffrent login,
> which is stored in ad

You can map users using pg_ident.conf, there's no need to use LDAP to
have a different login name in the database, and it's not secure to use
LDAP.

When LDAP is used, the user's credentials are seen by the server in the
clear (and there's not really anything you can do about that, it's the
nature of that auth method) and therefore if the DB server is
compromised then everyone's credentials who logs into the DB server will
also be compromised (TLS/SSL doesn't help because that only protects
traffic across the network).

Thanks,

Stephen

Attachment

signature.asc

pgsql-admin by date:

From: Rocco Kreutz
Date: 21 May 2021, 15:57:27
Subject: Re: Secure LDAP auth on windows machine inside domain

From: Dirk Krautschick
Date: 22 May 2021, 02:49:29
Subject: Experience with login_hook or any other solution for logon trigger

Re: Secure LDAP auth on windows machine inside domain - Mailing list pgsql-admin

Attachment

Previous

Next