Greetings,
* Lentes, Bernd (bernd.lentes@helmholtz-muenchen.de) wrote:
> ----- On Nov 23, 2018, at 4:17 PM, Stephen Frost sfrost@snowman.net wrote:
> > * Lentes, Bernd (bernd.lentes@helmholtz-muenchen.de) wrote:
> >> i created a Postgres Server 9.6 on a SLES 12 SP3 box. In our institution we have
> >> a Windows ADS which i like to use to authenticate users via LDAP.
> >
> > For running PostgreSQL in a Windows ADS environment, you should really
> > be using GSSAPI / Kerberos and *not* using LDAP authentication.
> >
> > GSSAPI / Kerberos is what Windows uses to authenticate users and
> > services and it's much more secure than using LDAP.
>
> thanks for your answer. I'm not familiar with LDAP, GSSAPI and Kerberos.
> Why is it more secure ?
With LDAP, the user's password will be seen by the PostgreSQL server,
and sent over the wire in cleartext unless you're making sure to use TLS
on the connection to PG (and if you're doing that you really want to
make sure you have verify-full enabled on your clients....).
With Kerberos/GSSAPI, the authentication tokens are encrypted by the KDC
(in your case, the AD domain controllers) and the user's password is
never exposed.
Thanks!
Stephen