On 08/22/2018 12:54 PM, Ravi Krishna wrote: >> >> How is that different from giving your grants to a database role and >> just telling the new user the name and password of that role to connect as? > > Well here I have to do some work, with the groups approach, it is outsourced > to devops. Secondly when you take into account AD, the user does not have to > remember his password for db login. It is same as AD.
So it seems to me that the feature may be worth adding is to fetch the password, *as well as "ldapsearchattribute"* from LDAP: https://www.postgresql.org/docs/10/static/auth-methods.html#AUTH-LDAP You should be able to get the role name from AD already, but the password they still have to remember. Although I still don't see this really working for anything more complicated than one database and no user in more than one group. -- Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu
signature.asc
Description: OpenPGP digital signature