Thread: LDAP authentication
Does anyone know if anyone has tried to use LDAP for authentication? The management here is insisting on it. I'll write it from scratch if neccassary. Any hints or pointers are appreciated. Thanks Richard
Postgresql supports pam. And there is pam_ldap. I haven't tried out yet. But I'm sure you need to create users in postgresql. Just authentication comes through pam. There is no nss_ldap as far as I know. Tommi Am Mittwoch, 23. Oktober 2002 21:38 schrieb Richard Ray: > Does anyone know if anyone has tried to use LDAP for authentication? > The management here is insisting on it. I'll write it from scratch if > neccassary. Any hints or pointers are appreciated. > > Thanks > Richard > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
I have used LDAP authentication with PHP. It works really well..I have even done it with using MS domain controllers to.... On Wed, 2002-10-23 at 13:38, Richard Ray wrote: > Does anyone know if anyone has tried to use LDAP for authentication? > The management here is insisting on it. I'll write it from scratch if > neccassary. Any hints or pointers are appreciated. > > Thanks > Richard > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) -- Thank you, Ray Hunter
I've had no luck gettting PAM to work with PostgreSQL on HP/UX 11.00 and I read that PostgreSQL doesn't allow user triggers on system tables. Not much left but hack the PostgreSQL authentication code. Richard On Wednesday 23 October 2002 03:29 pm, you wrote: > Postgresql supports pam. And there is pam_ldap. I haven't tried out yet. > But I'm sure you need to create users in postgresql. Just authentication > comes through pam. There is no nss_ldap as far as I know. > > > Tommi > > Am Mittwoch, 23. Oktober 2002 21:38 schrieb Richard Ray: > > Does anyone know if anyone has tried to use LDAP for authentication? > > The management here is insisting on it. I'll write it from scratch if > > neccassary. Any hints or pointers are appreciated. > > > > Thanks > > Richard > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 2: you can get off all lists at once with the unregister command > > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly
Hi, I just tried out. Pam works fine with pam_ldap on linux. But as a told you need to create databaseusers. I just configured postgresql with --with-pam and created (or copied one and modified) a /etc/pam.d/postgresql. Her is it: #%PAM-1.0 auth required pam_nologin.so auth sufficient pam_ldap.so auth required pam_unix.so nullok try_first_pass #set_secrpc account sufficient pam_ldap.so account required pam_unix.so password required pam_pwcheck.so nullok password required pam_ldap.so use_first_pass use_authok password required pam_unix.so nullok use_first_pass use_authtok Maybe you can create users with a cronjob, which queries ldap on a daily base about new (and retired) users. Postgresql do need entries in pg_shadow. I think it would be hard to hack authentication so that it does not need. It might be fine to see a generic way to create pg_shadow on the fly like nss does. It should be a table-function, which might query a ldap-tree. Tommi Am Mittwoch, 23. Oktober 2002 23:26 schrieb Richard Ray: > I've had no luck gettting PAM to work with PostgreSQL on HP/UX 11.00 and I > read that PostgreSQL doesn't allow user triggers on system tables. Not much > left but hack the PostgreSQL authentication code. > > Richard > > On Wednesday 23 October 2002 03:29 pm, you wrote: > > Postgresql supports pam. And there is pam_ldap. I haven't tried out yet. > > But I'm sure you need to create users in postgresql. Just authentication > > comes through pam. There is no nss_ldap as far as I know. > > > > > > Tommi > > > > Am Mittwoch, 23. Oktober 2002 21:38 schrieb Richard Ray: > > > Does anyone know if anyone has tried to use LDAP for authentication? > > > The management here is insisting on it. I'll write it from scratch if > > > neccassary. Any hints or pointers are appreciated. > > > > > > Thanks > > > Richard > > > > > > ---------------------------(end of > > > broadcast)--------------------------- TIP 2: you can get off all lists > > > at once with the unregister command (send "unregister > > > YourEmailAddressHere" to majordomo@postgresql.org) > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 3: if posting/reading through Usenet, please send an appropriate > > subscribe-nomail command to majordomo@postgresql.org so that your > > message can get through to the mailing list cleanly > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org -- Dr. Eckhardt + Partner GmbH http://www.epgmbh.de
Create a file named postgresql in your /etc/pam.d/ directory with this content #%PAM-1.0 auth required /lib/security/pam_ldap.so #nullok #set_secrpc account required /lib/security/pam_ldap.so and something like this in your pg_hba.conf host all 10.0.0.0 255.0.0.0 pam It worked for me. Unfortunately/fortunatly you have to create each user who will acces the database but this can be done easily (i.e. through a php script on an autheticated web location) Fathi Ben Nasr Tommi Mäkitalo a écrit : > Postgresql supports pam. And there is pam_ldap. I haven't tried out yet. But > I'm sure you need to create users in postgresql. Just authentication comes > through pam. There is no nss_ldap as far as I know. > > Tommi > > Am Mittwoch, 23. Oktober 2002 21:38 schrieb Richard Ray: > > Does anyone know if anyone has tried to use LDAP for authentication? > > The management here is insisting on it. I'll write it from scratch if > > neccassary. Any hints or pointers are appreciated. > > > > Thanks > > Richard > > > > ---------------------------(end of broadcast) --------------------------- > > TIP 2: you can get off all lists at once with the unregister command > > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly (See attached file: smime.p7s)
Attachment
I have used LDAP authentication with PHP. It works really well..I have even done it with using MS domain controllers to.... On Wed, 2002-10-23 at 13:38, Richard Ray wrote: > Does anyone know if anyone has tried to use LDAP for authentication? > The management here is insisting on it. I'll write it from scratch if > neccassary. Any hints or pointers are appreciated. > > Thanks > Richard > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) -- S RAY HUNTER email: shunter@venticon.com email: rhunter@venticon.com www: http://venticon.com
It is true that you have to create the users on PostGreSQL level too. But once they are created on PG-level, PAM does work fine. I had the same problem. I create a utility that synchronises the postgresql users/groups with LDAP. It is not done automatically. You have to invoke a function for it. It is pretty ugly for the moment, it was my first experience writing C-functions for PostGreSQL. I am rewriting it for PostGreSQL 7.3b2, which has a way nicer API for outputting tables in C. It does indeed consist of some C and some PLPGSQL functions. If you're interested, please shoot me an email ... Evert shunter@venticon.com (Ray Hunter) wrote in message news:<1035406530.2775.6.camel@pclnxrhunter.digitalglobe.com>... > I have used LDAP authentication with PHP. It works really well..I have > even done it with using MS domain controllers to.... > > > > On Wed, 2002-10-23 at 13:38, Richard Ray wrote: > > Does anyone know if anyone has tried to use LDAP for authentication? > > The management here is insisting on it. I'll write it from scratch if > > neccassary. Any hints or pointers are appreciated. > > > > Thanks > > Richard > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 2: you can get off all lists at once with the unregister command > > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > > -- > S RAY HUNTER > email: shunter@venticon.com > email: rhunter@venticon.com > www: http://venticon.com > > > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster