Re: Lock Postgres account after X number of failed logins? - Mailing list pgsql-general

From Tim Cross
Subject Re: Lock Postgres account after X number of failed logins?
Date
Msg-id 878si5jltf.fsf@gmail.com
Whole thread Raw
In response to Re: Lock Postgres account after X number of failed logins?  (Geoff Winkless <pgsqladmin@geoff.dj>)
List pgsql-general
Geoff Winkless <pgsqladmin@geoff.dj> writes:

> On Wed, 6 May 2020 at 00:05, Tim Cross <theophilusx@gmail.com> wrote:
>> Where Tom's solution fails is with smaller companies that cannot afford
>> this level of infrastructure.
>
> Is there an objection to openldap? It's lightweight (so could
> reasonably be run on the same hardware without significant impact),
> BSD-ish and mature, and (with the password policy overlay) should
> provide exactly the functionality the OP requested.
>

OpenLDAP is certainly the way I would go. However, for a number of
reasons, smaller companies seem somewhat resistant to that level of
integration. I suspect it is primarily because LDAP skills are less
prevalent amongst admins in these areas. Often, these companies don't
really have a planned architecture - things have grown organically and
got to the point where existing resources are fully allocated just
trying to keep all the bits running. It can be hard to sell the idea,
especially as those making the decisions are not across the issues and
from where they sit, it all looks to be working and your asking for more
resources when it doesn't seem to be broken. The IT guys often fail to
sell the benefits because they focus on the technical aspects rather
than on the business aspects.

One client I helped had admins who had been trying to move everything
over to a centralised LDAP solution for ages and failing. They had
presented great justification for why it was needed, but it focused on
the technical benefits rather than the business continuity, process
improvement and security benefits. Once we put together a new business
case which focused on improved processes for managing access, reduced
security audit costs and improved security controls, they were sold and
made the project a priority. 

Based on additional info I saw from the OP and plans to roll out
many databases, I think a centralised directory service approach is
really their only saleable and maintainable solution. In fact, they
probably need to look at their overall identity management architecture.
Failure to get that basic service correct will result in major support
issue blow out as they increase their customer base.

-- 
Tim Cross



pgsql-general by date:

Previous
From: Guillaume Lelarge
Date:
Subject: Re: Lock Postgres account after X number of failed logins?
Next
From: Christian Ramseyer
Date:
Subject: Re: Abnormal Growth of Index Size - Index Size 3x large than tablesize.