Stephen Frost wrote:
> * John McCawley (nospam@hardgeus.com) wrote:
>> (I am working on this project with Derrick.) We have to use the Active
>> Directory to authenticate not only users from our client-side app (We're
>> attempting to use PostgreSQL essentially as a proxy authentication
>> mechanism), but also for connections to the SFTP server, and finally our
>> web app. Rather than doing three separate binding mechanisms, we wanted
>> to do the PAM/AD work once, and then have everything else defer to PAM
>> for authentication.
Ok. That certainly makes sense. Just that I can't help you then :-)
> Have you considered using Kerberos to auth against AD instead of trying
> to use LDAP binding? If you still want to use PAM then you might check
> out libpam-krb5, which from a bit of googling appears to work w/ AD
> Kerberos. Of course, an alternative might be to try using the native
> Kerberos support in Postgres which I've heard may work w/ the Postgres
> ODBC driver...
The native one works very well with the ODBC driver, and should work
with anything based off libpq. Which means anything that's not Java or
.NET, I think.
> Personally, I've gotten the Postgres ODBC driver working under windows
> with MIT Kerberos and I've gotten Firefox under Windows working w/ MIT
> Kerberos and using negotiate with Apache2 to authenticate users of
> PhpPgAdmin to Postgres. I'm pretty sure all of this is possible with AD
> instead of MIT Kerberos, or possibly even through a cross-realm setup.
It works with AD on the server side, you still need to install MIT
Kerberos on the client.
//Magnus
