Greetings,
* Dave Page (dpage@pgadmin.org) wrote:
> On Wed, May 6, 2020 at 5:20 PM Stephen Frost <sfrost@snowman.net> wrote:
> > Any chance you could share that patch..? Considering that pgAdmin4 has,
> > sadly, decided to go the (broken) route of adding LDAP basic-user auth,
>
> Less secure != broken, unless you know something I don't (and bear in mind
> I've seen your talk on the subject :-p )
You could make the same distinction and argument when talking about
NTLM, LANMAN, or even hash algorithms like MD5. There's good reasons
for why Microsoft moved away from NTLM and why all of their applications
use Kerberos and explicitly not LDAP-simple-bind for authentication.
> LDAP was added as the first option whilst adding support for pluggable
> authentication mechanisms, partly because it's the one we're most
> familiar with, and partly because it's by far the most common option
> requested by users (and yes, whilst like you I would love to be able to
> tell them all to just use Kerberos, we both know that's not realistic).
The most requested, in my experience at least, isn't LDAP- it's Active
Directory integration, with an expectation that it'll work in the same,
secure, way that SQL Server integrates into AD. That's not what any of
this is though- and we see people being confused and making incorrect
assumptions about what the LDAP support in PG is already, and I'm sure
they'll also be confused with pgAdmin4.
This is something that comes up too, and not even that long ago-
https://www.postgresql.org/message-id/flat/16079-29e9c038e1463751%40postgresql.org
The poster even claims that with ldap auth: "But the user credentials
will not be sent to Postgresql server to authenticate", which is clearly
wrong.
> > it'd really be good to, out of the box, make it support Kerberos-based
> > auth, even with the limitations you've described here.
>
> We already have a Kerberos module on our plan to follow on from the LDAP
> one. Following that we plan to also add support for Kerberos authentication
> to the database servers themselves.
Glad to hear it, I'd be happy to help with Kerberos auth support.
Sounds like it's actually rather easy to implement it, based on Peter's
comments (which isn't surprising, really, it's actually *not* very hard
to enable for a web app thanks to modules like mod_auth_kerb- probably a
great deal less code than the LDAP auth needed, in fact).
Thanks,
Stephen