Thread: LDAP and roles
Does LDAP obviate the need for the PASSWORD clause of CREATE ROLE? It sounds obvious, but I wanted to verify before deciding whether or not to try LDAP, and did not see any reference in https://www.postgresql.org/docs/12/sql-createrole.html. Thanks -- Angular momentum makes the world go 'round.
Ron <ronljohnsonjr@gmail.com> writes:
> Does LDAP obviate the need for the PASSWORD clause of CREATE ROLE?
Well, it won't use that password, if that's what you mean.
regards, tom lane
On 12/8/20 3:15 PM, Tom Lane wrote: > Ron <ronljohnsonjr@gmail.com> writes: >> Does LDAP obviate the need for the PASSWORD clause of CREATE ROLE? > Well, it won't use that password, if that's what you mean. That's what I meant. -- Angular momentum makes the world go 'round.
Hi Ron, > On 08. Dec, 2020, at 21:12, Ron <ronljohnsonjr@gmail.com> wrote: > > Does LDAP obviate the need for the PASSWORD clause of CREATE ROLE? yes, it does. We use it all the time. create role <name> login; grant <approle> to name; It works with us this way. The user/role is otherwise completely managed in LDAP, including password policies, etc. Cheers, Paul
Greetings, * Ron (ronljohnsonjr@gmail.com) wrote: > Does LDAP obviate the need for the PASSWORD clause of CREATE ROLE? It sounds > obvious, but I wanted to verify before deciding whether or not to try LDAP, > and did not see any reference in > https://www.postgresql.org/docs/12/sql-createrole.html. Using GSSAPI also results in the password not being needed to be set for the role, and is actually secure, unlike LDAP-based auth where the user's password is happily sent in the clear to the PG server. Thanks, Stephen