Thread: LDAP(s) doc misleading
Hi, I found what I believe to be misleading in the LDAP documentation: https://www.postgresql.org/docs/current/auth-ldap.html It says: "ldapscheme Set to ldaps to use LDAPS."... IMHO, it should say: "ldapscheme Set to ldapscheme to use LDAPS (ldapscheme=ldaps)."... I found this because I'm in the process of making our Linux LDAP servers obsolete by reconfiguring PostgreSQL to use ourcompany Windows Active Directory LDAPS service. Cheers, Paul
Greetings, * Paul Förster (paul.foerster@gmail.com) wrote: > I found this because I'm in the process of making our Linux LDAP servers obsolete by reconfiguring PostgreSQL to use ourcompany Windows Active Directory LDAPS service. When in an Active Directory environment, it's far more secure to use Kerberos/GSSAPI and not LDAP (or LDAPS). Using the ldap authentication method with PostgreSQL will result in the credentials of users being sent to the database server, such that if the database server is compromised so will all of those user accounts. Thanks, Stephen
Attachment
Hi Stephen, > On 06. Jan, 2021, at 18:14, Stephen Frost <sfrost@snowman.net> wrote: > > When in an Active Directory environment, it's far more secure to use > Kerberos/GSSAPI and not LDAP (or LDAPS). Using the ldap authentication > method with PostgreSQL will result in the credentials of users being > sent to the database server, such that if the database server is > compromised so will all of those user accounts. I understand. But users can't login on the database server, just on the database. Database servers and client machines arelocated in different network zones with firewalls between them. Also, my point was not about using LDAP(S) versus Kerberos or GSSAPI. My point was, that I find the description of the ldapschemeentry misleading. Cheers, Paul
On Wed, Jan 6, 2021 at 8:36 AM Paul Förster <paul.foerster@gmail.com> wrote: > > Hi, > > I found what I believe to be misleading in the LDAP documentation: > > https://www.postgresql.org/docs/current/auth-ldap.html > > It says: > "ldapscheme > Set to ldaps to use LDAPS."... > > IMHO, it should say: > "ldapscheme > Set to ldapscheme to use LDAPS (ldapscheme=ldaps)."... No, I think this is correct. "Set to ldaps to use ldaps" means you set it to the value "ldaps" in order to use ldaps. I think you missed the "to" in the sentence -- without that one, your reading of it would make more sense. See also the following parameter, ldaptls, which uses similar language. -- Magnus Hagander Me: https://www.hagander.net/ Work: https://www.redpill-linpro.com/
Hi Magnus, > On 07. Jan, 2021, at 11:04, Magnus Hagander <magnus@hagander.net> wrote: > > No, I think this is correct. > > "Set to ldaps to use ldaps" means you set it to the value "ldaps" in > order to use ldaps. > > I think you missed the "to" in the sentence -- without that one, your > reading of it would make more sense. See also the following parameter, > ldaptls, which uses similar language. argh! Sorry, my bad. Yes, I missed the "to". :-( Thanks. Cheers, Paul