On Sun, 2024-06-23 at 14:14 +0100, Martin Goodson wrote:
> On 23/06/2024 11:49, Christoph Moench-Tegeder wrote:
> > My advice would be to not use secrets stored in the database -
> > that is, do not use scram-sha-256 - but use an external authentication
> > system, like Kerberos (might be AD) or LDAP (might also be AD) and have
> > that managed by the security team: that way all these compliance
>
> Crikey, that would be quite a lot of lot of SSL/TLS to set up. We have quite a
> few (massive understatement :( ... ) PostgreSQL database clusters spread over
> quite a lot (another understatement) of VMs.
>
> The last time I suggested LDAP there was a lot of enthusiasm ... until they went
> down and looked at what might have to be done, after which it all became very quiet ...
Yes, LDAP is not perfect for that - for one, every connection to the database would
also hit the LDAP server.
Kerberos or certificate authentication is probably better.
For many PostgreSQL clusters and clients, that might be a lot of work.
But not all your PostgreSQL databases will contain equally sensitive data.
You could start with the important ones, try to automatize as much as possible,
and roll out the changes over time.
Yours,
Laurenz Albe
