Thread: Postgres user authentification or LDAP authentification

Postgres user authentification or LDAP authentification

From
"Lauris Ulmanis"
Date:

Hello!

 

I posted you a message about slowness of creation users more than 500 000 (#4919). It seems there is no workaround of this problem because of using pg_auth flat file.

 

To override this problem is it possible to use LDAP authentification metod to identify each user and speed up system? How it will affect group roles for each user because we use groups roles to give Access to users to system objects? Because group roles will work only with postgres users not LDAP.

 

pgBouncer or pgPool uses Postgres users for connection pooling. Is there some more variants to use connection pooling without using postgres users?

 

 

______________________________________

Lauris Ulmanis

Tel. +371 29471020

 

 

 

Re: [BUGS] Postgres user authentification or LDAP authentification

From
Magnus Hagander
Date:
On Thu, Jul 23, 2009 at 12:47, Lauris Ulmanis<lauris.ulmanis@mykoob.com> wrote:
> Hello!
>
>
>
> I posted you a message about slowness of creation users more than 500 000
> (#4919). It seems there is no workaround of this problem because of using
> pg_auth flat file.
>
>
>
> To override this problem is it possible to use LDAP authentification metod
> to identify each user and speed up system?

No. LDAP authentication still requires all the users to be created in
the database before they can log in. This is required so that they get
an oid in the system, that is used for all permissions checks and
ownership and such things.

The only thing you could do here is to map multiple users to the
*same* database user using pg_ident.conf, for example with a regular
expression. However, you then loose the ability to distinguish between
these users once they are logged in.


> How it will affect group roles
> for each user because we use groups roles to give Access to users to system
> objects? Because group roles will work only with postgres users not LDAP.

The PostgreSQL LDAP code currently has no support for groups.


> pgBouncer or pgPool uses Postgres users for connection pooling. Is there
> some more variants to use connection pooling without using postgres users?

Not that I know of.


--
 Magnus Hagander
 Self: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Re: [BUGS] Postgres user authentification or LDAP authentification

From
Alvaro Herrera
Date:
Lauris Ulmanis wrote:
> Hello!
>
>
>
> I posted you a message about slowness of creation users more than 500 000
> (#4919). It seems there is no workaround of this problem because of using
> pg_auth flat file.
>
>
>
> To override this problem is it possible to use LDAP authentification metod
> to identify each user and speed up system?

No.  The users still need to exist in the PG auth system.

I'm sure this is just some missing optimization.  Feel free to work on
the code to improve performance for these cases.

--
Alvaro Herrera                                http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.