Thread: PAM Authentication for PostgreSQL...

PAM Authentication for PostgreSQL...

From
"Dominic J. Eidson"
Date:
A couple {days,weeks} ago, someone sent an email to one of the pgsql-*
lists asking if anybody had thought about implementing the glue to use PAM
as authentication method for PostgreSQL. Having thought about being able
to easily drop in various external authentication agents, I've been
thinking about using PAM for PostgreSQL for a while... The recent thread
inspired me, and I have now finished (and tested - imagine that :) the
code.

I vaguely remember there were a few points brought up for discussion
during the short thread - unfortunately I was unable to find it in the
archives (the search somehow seems not to be working (anymore)) - and I
deleted all but one email - the one from Peter:

> Peter Eisentraut writes:
> Konstantinos Agouros writes:
> > I would really like to be able to use external authentication-methods
> > (the password not the itself) to avoid setting up pass- words.
> 
> What particular method that does not use passwords are you interested in?

I think is question should be read as "... to avoid having to set up local
postgresql passwords."

... Imagine the following scenario:

Relatively large enterprise (6000+ employees), where several departments
have a need to use databases of various kinds. (Currently, unfortunately,
all Access Shared filesystem databases... Yuk.)

Nice shiny PostgreSQL server sitting in the corner with lots of
(currently) free disk space on it - places where, through ODBC, we could
stuff the data from all these access databases, and 1) get them off the
network (and off IPX), and 2) central repository that is easy to back up,
administrate, etc...

Now, it would be annoying to have to maintain local passwords for
PostgreSQL for all of the X number of users who will be having tablespace
on this server. This would be an excellent place for PAM, in cooperation
with something like pam_ldap - the module that lets PAM authenticate into
LDAP (which, in our case, sits on top of NDS, and contains all the
user/etc information.)

I have several other examples where this could come in handy (Oddly
enough, most of them involving LDAP... imagine that. :)


Is there any discussion before I submit the patch to -patches?

-Dominic

-- 
Dominic J. Eidson                                       "Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/              http://www.the-infinite.org/~dominic/






Re: PAM Authentication for PostgreSQL...

From
Thomas Lockhart
Date:
> Is there any discussion before I submit the patch to -patches?

Since we can, or should be able to, run postgres as a backend to ldap,
this seems to give a wonderfully circular system (which probably works
just fine). Just a comment...
                     - Thomas


RE:PAM Authentication for PostgreSQL...

From
"Ryan M. Hager"
Date:
Dominic,

I like your idea.  One of the benefits SQLServer 2000 is that I can assign a
role in the database to a NT group.  At that point, all I have to do is add
a user to the group to be able to access that database.  Would you solution
include this scenario?  This lets me assign all the resources needed for an
application to a group.  Then to let people access the application, all I
have to do is add them to a group in one spot.

Ryan.