Hi,
SSPI Kerberos\NTLM authentication (Windows environment) currently only
authenticates users, however, it does not authenticate a user against an LDAP \
Active Directory group.
This makes administration complex because an administrator would need to
add\remove each user to\from an instance or if a user changes role then their
permissions would need to be altered.
If you have many instances and many users then this becomes a long process
which can be prone to error.
Industry best practices would be to define group(s) and assign permissions and
roles to these and have SSPI authenticate users against these groups.
The responsibility of granting or altering permissions is at the LDAP \ Active
Directory level which is its prime purpose.
This is something that other RDBMS can do and it would make PostgreSQL a far
more attractive solution from that perspective.
Can you please look at making this possible?
This has been raised before (below) but nothing has been progressed further...
https://www.postgresql.org/message-id/20201016160029.GO19056%40tamriel.snowman.net
Many thanks.
John.
Disclaimer
The information contained in this communication from the sender is
confidential. It is intended solely for use by the recipient and others
authorized to receive it. If you are not the recipient, you are hereby notified
that any disclosure, copying, distribution or taking action in relation of the
contents of this information is strictly prohibited and may be unlawful.
This email has been scanned for viruses and malware, and may have been
automatically archived by Mimecast, a leader in email security and cyber
resilience. Mimecast integrates email defenses with brand protection, security
awareness training, web security, compliance and other essential capabilities.
Mimecast helps protect large and small organizations from malicious activity,
human error and technology failure; and to lead the movement toward building a
more resilient world. To find out more, visit our website.