[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fwd: [GENERAL] Using LDAP for PostgreSQL permissions/authentication



--On Friday, September 13, 2013 2:17 PM -1000 Stephan Fabel <sfabel@hawaii.edu> wrote:

But it doesn't help with the headache of creating the accounts on all the
servers, or dropping them as part of employee termination procedures, or
doing security audits, or changing permissions on multiple servers when
an employee gets a promotion, etc.

Nope; I'd use puppet or chef or something along those lines to deal with
this aspect, much as I'd do with Unix accounts. ÂUsing nsswitch and
tying every user name look up to LDAP has certain.. Âdrawbacks.

I would use dynamic groups in LDAP.  It would make all of this trivial.


Thus, when I go to log in as wmoran, LDAP checks my password, then
informs PostgreSQL to allow me in with specified roles, and I can do
operations granted to those roles.

That's a little over-simplistic, isn't it? ÂWhat about objects which are
created by the 'wmoran' account?

Again, I would use dynamic groups for roles.


Obviously, that's not how it works now ... my question is why not? ÂIs
it just a matter of nobody's gotten to it yet, or are there issues that
make such an implementation difficult/troublesome/impossible? ÂIf it's
possible, does anyone have any concept of how hard it would be to
implement?

I don't see any issue here that isn't already possible to do with OpenLDAP without any particular difficulty.

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra Software, LLC
--------------------
Zimbra ::  the leader in open source messaging and collaboration