On Jan 30, 2008 12:36 PM, The Anarcat <[EMAIL PROTECTED]> wrote:
> On Wed, Jan 30, 2008 at 11:24:41AM +0000, [EMAIL PROTECTED] wrote:
> > That said, Postgres does provide for LDAP, Kerberos and PAM-based
> > authentication, so it is still possible to have external authentication
> > for LSMB, just one level removed. I had LDAP in mind anyway...
>
> Having participated in that discussion about authentication, I can only
> applaud the direction 1.3 is taking, in that case.
>
> However, the above makes me wonder:
>
> What happens when you plug postgres into (say) kerberos? All Kerberos
> users become pgsql users? And all pgsql users are necessarly kerberos
> users?
Not quite.
You still have to create the user in PostgreSQL. It would be more accurate
to say
"All Kerberos users are potential PostgreSQL users, and all PostgreSQL users
*MUST* be Kerberos users to access systems where Kerberos is set."
Basically, PgSQL still needs to know about the users and still must handle
the security and authorization/auditing components. However PgSQL users
could then use Kerberos to prove their identity to PostgreSQL. Hence
Kerberos is only one A out of the AAA system.
>
>
> This sounds a bit problematic to my ears in the traditionnal context of
> having "one user per CMS install", for example, on web applications.
> (e.g. I don't want my Drupal database user to have an account in the
> Kerberos database...)
Take a look at the documentation regarding the pg_hba.conf. Kerberos (or
any other authentication option) can be enabled per
remote-host/user/database combination.
Best Wishes,
Chris Travers
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Ledger-smb-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
