Thread: LDAP Authentication?
People, After writing dblink-ldap (http://pgfoundry.org/projects/dblink-ldap), several people have contacted me asking if this will give LDAP authentication to PostgreSQL, because they need this. And this is before I've even released it, so apparantly there are a lot of people who want this. You can do this today using PAM authenication, but this is not always possible. Notably it's never possible on Windows, and there are several unix platforms/distros that don't support it without a lot of work. It should be fairly easy to write a LDAP "backend" to password authentication using openldap, winldap or whatever ldap library is available. Before I start working on anything I'd like to check if a patch for this would be accepted? //Magnus
Magnus Hagander wrote: > You can do this today using PAM authenication, but this is not always > possible. Notably it's never possible on Windows, and there are > several unix platforms/distros that don't support it without a lot of > work. Or you port PAM to Windows, and then everybody wins. -- Peter Eisentraut http://developer.postgresql.org/~petere/
> > You can do this today using PAM authenication, but this is > not always > > possible. Notably it's never possible on Windows, and there are > > several unix platforms/distros that don't support it > without a lot of > > work. > > Or you port PAM to Windows, and then everybody wins. Well, for one that's going to be a *lot* more work. I'm not even sure how many of the concepts would apply to win32, but then I don't really know PAM... It also would do nothing to help those who are on platforms or distros that don't put PAM in there by default - it can still be a pain to put it in there... //Magnus
On 10/10/05, Magnus Hagander <mha@sollentuna.net> wrote: > > > You can do this today using PAM authenication, but this is > > not always > > > possible. Notably it's never possible on Windows, and there are > > > several unix platforms/distros that don't support it > > without a lot of > > > work. > > > > Or you port PAM to Windows, and then everybody wins. > > Well, for one that's going to be a *lot* more work. I'm not even sure > how many of the concepts would apply to win32, but then I don't really > know PAM... > Most of the work has already been done: http://pgina.xpasystems.com/ -- Mike Rylander mrylander@gmail.com GPLS -- PINES Development Database Developer http://open-ils.org
> > > > You can do this today using PAM authenication, but this is > > > not always > > > > possible. Notably it's never possible on Windows, and there are > > > > several unix platforms/distros that don't support it > > > without a lot of > > > > work. > > > > > > Or you port PAM to Windows, and then everybody wins. > > > > Well, for one that's going to be a *lot* more work. I'm not > even sure > > how many of the concepts would apply to win32, but then I > don't really > > know PAM... > > > > Most of the work has already been done: > > http://pgina.xpasystems.com/ Eh, no, that one works the other way around, adn doesn't help us at all. GINA for windows is about the same as PAM is for Unix. Allows pluggable authentication. But we don't support GINA authentication. I guess we could support GINA authentication instead of LDAP, which would add the benefit of supporting windows passwords (withotu single sign on) for local accounts. But it would also make the hurdle a whole lot larger for anybody wanting to do ldap auth for postgres - installilng a GINA changes *all* the authentication on windows. Which means you could use those accounts to log on to the system, which you probalby don't want... //Magnus
Magnus, Magnus Hagander wrote: > It should be fairly easy to write a LDAP "backend" to password > authentication using openldap, winldap or whatever ldap library is > available. > > Before I start working on anything I'd like to check if a patch for this > would be accepted? Also I was thinking about LDAP authentication before. LDAP is the most important infrastracture for enterprise users who have the centerized account management. Samba and Apache have LDAP auth. Also we need it for PostgreSQL. -- NAGAYASU Satoshi <nagayasus@nttdata.co.jp>
--- Magnus Hagander wrote:
> > It should be fairly easy to write a LDAP "backend" to password
> > authentication using openldap, winldap or whatever ldap library is
> > available.
> >
I support the idea. It would be a good gain for PostgreSQL
authentication.
If you want to discuss ideas, drop me a line.
Euler Taveira de Oliveira
euler[at]yahoo_com_br
_______________________________________________________
Promoção Yahoo! Acesso Grátis: a cada hora navegada você
acumula cupons e concorre a mais de 500 prêmios! Participe!
http://yahoo.fbiz.com.br/
I can help on this one too. -----Original Message----- From: pgsql-hackers-owner@postgresql.org [mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of Euler Taveira de Oliveira Sent: Monday, October 31, 2005 9:44 AM To: Satoshi Nagayasu; Magnus Hagander Cc: PostgreSQL-development Subject: Re: [HACKERS] LDAP Authentication? --- Magnus Hagander wrote: > > It should be fairly easy to write a LDAP "backend" to password > > authentication using openldap, winldap or whatever ldap library is > > available. > > I support the idea. It would be a good gain for PostgreSQL authentication. If you want to discuss ideas, drop me a line. Euler Taveira de Oliveira euler[at]yahoo_com_br _______________________________________________________ Promoção Yahoo! Acesso Grátis: a cada hora navegada você acumula cupons e concorre a mais de 500 prêmios! Participe! http://yahoo.fbiz.com.br/ ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypesdo not match