Thread: [GENERAL] AD(Active Directory) groups concepts in postgres
Il 02/02/2017 16:49, PAWAN SHARMA ha scritto:
Hi All,Can we use AD(Active Directory) groups concepts in postgres as we are using this concepts in SQL server.So, is there any possible to work with AD groups such as (IT-DBA, IT-APPS..etc ) in postgresql.
Like this?
https://wiki.postgresql.org/wiki/LDAP_Authentication_against_AD
Cheers
Moreno
-Pawan
Can we use AD(Active Directory) groups concepts in postgres as we are using this concepts in SQL server.So, is there any possible to work with AD groups such as (IT-DBA, IT-APPS..etc ) in postgresql.
Like this?
https://wiki.postgresql.org/wiki/LDAP_Authentication_against_AD
that handles authentication, but AFAIK, postgresql has no concept of Active Directory groups, only group roles defined within the postgres server. even if you're using AD for authentication, you still have to create roles in postgresql, and put these roles in groups.
-- john r pierce, recycling bits in santa cruz
On 2/2/2017 8:24 AM, Moreno Andreo wrote:Can we use AD(Active Directory) groups concepts in postgres as we are using this concepts in SQL server.So, is there any possible to work with AD groups such as (IT-DBA, IT-APPS..etc ) in postgresql.
Like this?
https://wiki.postgresql.org/wiki/LDAP_Authentication_ against_AD that handles authentication, but AFAIK, postgresql has no concept of Active Directory groups, only group roles defined within the postgres server. even if you're using AD for authentication, you still have to create roles in postgresql, and put these roles in groups.
-- john r pierce, recycling bits in santa cruz
1: Create User2:Create group3:Alter Group Add/Remove User's......????????
create user user1;
create user user2;
create group group1;
grant group1 to user1, user2;
in fact in postgres, both users and groups are roles, the only distinction is in how they are used. CREATE USER xxxx is exactly the same as CREATE ROLE xxxx WITH LOGIN;
-- john r pierce, recycling bits in santa cruz
On 2/2/2017 11:09 AM, PAWAN SHARMA wrote:1: Create User2:Create group3:Alter Group Add/Remove User's......????????
create user user1;
create user user2;
create group group1;
grant group1 to user1, user2;
in fact in postgres, both users and groups are roles, the only distinction is in how they are used. CREATE USER xxxx is exactly the same as CREATE ROLE xxxx WITH LOGIN;
-- john r pierce, recycling bits in santa cruz
2:create user user2;
4:grant dba_group to user1;
> For testing i have created > > 1:create user user1; 2:create user user2; 3:create group dba_group; > 4:grant dba_group to user1; 5:ALTER group dba_group CREATEDB > CREATEROLE; > > > but still user1 don't have createdb and createrole privilege, even he > is assigned to dba_group which having both the privileges..?
those sorts of attributes don't inherit with role membership. role membership affects table access rights and such. you have read the documentation on this, yes? see the note on https://www.postgresql.org/docs/current/static/sql-createrole.html where it says...
The INHERIT attribute governs inheritance of grantable privileges (that is, access privileges for database objects and role memberships). It does not apply to the special role attributes set by CREATE ROLE and ALTER ROLE. For example, being a member of a role with CREATEDB privilege does not immediately grant the ability to create databases, even if INHERIT is set; it would be necessary to become that role via SET ROLE before creating a database.
--
john r pierce, recycling bits in santa cruz