Greetings,
* Thomas Munro (thomas.munro@gmail.com) wrote:
> I also know that a motivated user could also use GSSAPI instead of
> LDAP. Do you think we should update the manual to say so, perhaps in
> a "tip" box on the LDAP auth page?
Hrm, not sure how I missed this before, but, yes, I'm all for adding a
'tip' box on the LDAP auth page which recommends use of GSSAPI when
available (such as when operating in an Active Directory
environment...). Note that, technically, you can run LDAP without using
Active Directory and without running any kind of KDC, so we can't just
blanket say "use GSSAPI" because there exists use-cases where that isn't
an option.
Not that I've ever actually *encountered* such an environment, but
people have assured me that they do, in fact, exist, and that there are
users of PG LDAP auth with such a setup who would be upset to see
support for it removed.
Anyhow, yes, a 'tip' would be great to add.
Thanks,
Stephen