Thread: LDAP Authentication?

LDAP Authentication?

From
"Magnus Hagander"
Date:
People,


After writing dblink-ldap (http://pgfoundry.org/projects/dblink-ldap),
several people have contacted me asking if this will give LDAP
authentication to PostgreSQL, because they need this. And this is before
I've even released it, so apparantly there are a lot of people who want
this.

You can do this today using PAM authenication, but this is not always
possible. Notably it's never possible on Windows, and there are several
unix platforms/distros that don't support it without a lot of work.

It should be fairly easy to write a LDAP "backend" to password
authentication using openldap, winldap or whatever ldap library is
available.

Before I start working on anything I'd like to check if a patch for this
would be accepted?


//Magnus


Re: LDAP Authentication?

From
Peter Eisentraut
Date:
Magnus Hagander wrote:
> You can do this today using PAM authenication, but this is not always
> possible. Notably it's never possible on Windows, and there are
> several unix platforms/distros that don't support it without a lot of
> work.

Or you port PAM to Windows, and then everybody wins.

-- 
Peter Eisentraut
http://developer.postgresql.org/~petere/


Re: LDAP Authentication?

From
"Magnus Hagander"
Date:
> > You can do this today using PAM authenication, but this is
> not always
> > possible. Notably it's never possible on Windows, and there are
> > several unix platforms/distros that don't support it
> without a lot of
> > work.
>
> Or you port PAM to Windows, and then everybody wins.

Well, for one that's going to be a *lot* more work. I'm not even sure
how many of the concepts would apply to win32, but then I don't really
know PAM...

It also would do nothing to help those who are on platforms or distros
that don't put PAM in there by default - it can still be a pain to put
it in there...

//Magnus


Re: LDAP Authentication?

From
Mike Rylander
Date:
On 10/10/05, Magnus Hagander <mha@sollentuna.net> wrote:
> > > You can do this today using PAM authenication, but this is
> > not always
> > > possible. Notably it's never possible on Windows, and there are
> > > several unix platforms/distros that don't support it
> > without a lot of
> > > work.
> >
> > Or you port PAM to Windows, and then everybody wins.
>
> Well, for one that's going to be a *lot* more work. I'm not even sure
> how many of the concepts would apply to win32, but then I don't really
> know PAM...
>

Most of the work has already been done:

http://pgina.xpasystems.com/

--
Mike Rylander
mrylander@gmail.com
GPLS -- PINES Development
Database Developer
http://open-ils.org


Re: LDAP Authentication?

From
"Magnus Hagander"
Date:
> > > > You can do this today using PAM authenication, but this is
> > > not always
> > > > possible. Notably it's never possible on Windows, and there are
> > > > several unix platforms/distros that don't support it
> > > without a lot of
> > > > work.
> > >
> > > Or you port PAM to Windows, and then everybody wins.
> >
> > Well, for one that's going to be a *lot* more work. I'm not
> even sure
> > how many of the concepts would apply to win32, but then I
> don't really
> > know PAM...
> >
>
> Most of the work has already been done:
>
> http://pgina.xpasystems.com/

Eh, no, that one works the other way around, adn doesn't help us at all.

GINA for windows is about the same as PAM is for Unix. Allows pluggable
authentication. But we don't support GINA authentication.

I guess we could support GINA authentication instead of LDAP, which
would add the benefit of supporting windows passwords (withotu single
sign on) for local accounts. But it would also make the hurdle a whole
lot larger for anybody wanting to do ldap auth for postgres -
installilng a GINA changes *all* the authentication on windows. Which
means you could use those accounts to log on to the system, which you
probalby don't want...

//Magnus


Re: LDAP Authentication?

From
Satoshi Nagayasu
Date:
Magnus,

Magnus Hagander wrote:
> It should be fairly easy to write a LDAP "backend" to password
> authentication using openldap, winldap or whatever ldap library is
> available.
> 
> Before I start working on anything I'd like to check if a patch for this
> would be accepted?

Also I was thinking about LDAP authentication before.

LDAP is the most important infrastracture for enterprise users
who have the centerized account management.

Samba and Apache have LDAP auth.

Also we need it for PostgreSQL.
-- 
NAGAYASU Satoshi <nagayasus@nttdata.co.jp>






Re: LDAP Authentication?

From
Euler Taveira de Oliveira
Date:
--- Magnus Hagander wrote:

> > It should be fairly easy to write a LDAP "backend" to password
> > authentication using openldap, winldap or whatever ldap library is
> > available.
> > 
I support the idea. It would be a good gain for PostgreSQL
authentication. 
If you want to discuss ideas, drop me a line.




Euler Taveira de Oliveira
euler[at]yahoo_com_br




    
_______________________________________________________ 
Promoção Yahoo! Acesso Grátis: a cada hora navegada você
acumula cupons e concorre a mais de 500 prêmios! Participe!
http://yahoo.fbiz.com.br/


Re: LDAP Authentication?

From
"Bruno Almeida do Lago"
Date:
I can help on this one too.

-----Original Message-----
From: pgsql-hackers-owner@postgresql.org
[mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of Euler Taveira de
Oliveira
Sent: Monday, October 31, 2005 9:44 AM
To: Satoshi Nagayasu; Magnus Hagander
Cc: PostgreSQL-development
Subject: Re: [HACKERS] LDAP Authentication?

--- Magnus Hagander wrote:

> > It should be fairly easy to write a LDAP "backend" to password
> > authentication using openldap, winldap or whatever ldap library is
> > available.
> >
I support the idea. It would be a good gain for PostgreSQL
authentication.
If you want to discuss ideas, drop me a line.




Euler Taveira de Oliveira
euler[at]yahoo_com_br





_______________________________________________________
Promoção Yahoo! Acesso Grátis: a cada hora navegada você
acumula cupons e concorre a mais de 500 prêmios! Participe!
http://yahoo.fbiz.com.br/

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to      choose an index scan if your joining column's
datatypesdo not      match