Thread: Seeking experiences 'accessing' Microsoft Active Directory credentials from PostgreSQL, in conjunction with the sys admin / IT...

> *    Have IT write a script to dump the AS credentials as, say, a
> delimited text file to a (secure) location on a nightly basis (an often
> enough frequency for my purposes) - and have PostgreSQL dynamically
> link, with the right credentials, to that network location with their
> text file/s (including 'recognising' when the file/s change)

ETOOMANYMOVINGPARTS, in addition to your admins failing to leverage
the ability of AD to natively export data over a standard protocol

> *    A 'direct' read-only connection (without comprising the network
> security), but of what sort? I have no experience in how AD stores and
> shares its info, bit am happy to learn what is needed (IT has a lot of
> knowledge of course, but don't use PostgreSQL)

The most straightforward solution would be for postgres to grab the
data via an LDAP connection (that's how AD exports data) after getting
set up by your admins to get read-only access to the user data you need.

However, I'm not sure that postgres has the code to pull in LDAP
data as a table (which would be a nice feature, IMO), but doing a
daily/hourly/every 30 seconds/whenever cron job which pulls data
via a ldapsearch (I'm assuming unix, because, frankly, I don't
care about windows), and then rebuilds a table with the new data.

On 24 February 2010 07:56, Bret S. Lambert <bret.lambert@gmail.com> wrote:
[...]
>> *     A 'direct' read-only connection (without comprising the network
>> security), but of what sort? I have no experience in how AD stores and
>> shares its info, bit am happy to learn what is needed (IT has a lot of
>> knowledge of course, but don't use PostgreSQL)
>
> The most straightforward solution would be for postgres to grab the
> data via an LDAP connection (that's how AD exports data) after getting
> set up by your admins to get read-only access to the user data you need.
>
> However, I'm not sure that postgres has the code to pull in LDAP
> data as a table (which would be a nice feature, IMO), but doing a
> daily/hourly/every 30 seconds/whenever cron job which pulls data
> via a ldapsearch (I'm assuming unix, because, frankly, I don't
> care about windows), and then rebuilds a table with the new data.

I wonder if you couldn't do this with e.g. a plperl function or something?

--
Michael Wood <esiotrot@gmail.com>

On 2010-02-24, Michael Wood <esiotrot@gmail.com> wrote:
> On 24 February 2010 07:56, Bret S. Lambert <bret.lambert@gmail.com> wrote:
> [...]
>>> *     A 'direct' read-only connection (without comprising the network
>>> security), but of what sort? I have no experience in how AD stores and
>>> shares its info, bit am happy to learn what is needed (IT has a lot of
>>> knowledge of course, but don't use PostgreSQL)
>>
>> The most straightforward solution would be for postgres to grab the
>> data via an LDAP connection (that's how AD exports data) after getting
>> set up by your admins to get read-only access to the user data you need.
>>
>> However, I'm not sure that postgres has the code to pull in LDAP
>> data as a table (which would be a nice feature, IMO), but doing a
>> daily/hourly/every 30 seconds/whenever cron job which pulls data
>> via a ldapsearch (I'm assuming unix, because, frankly, I don't
>> care about windows), and then rebuilds a table with the new data.
>
> I wonder if you couldn't do this with e.g. a plperl function or something?

yes, it should be possible to do a set returning plperl or C functuion
which querys the AD via LDAP and use that function to populate a view

not very efficient (if queried frequently) but reasonably seamless.