Hi Magnus,
> On 06. Jan, 2021, at 16:57, Magnus Hagander <magnus@hagander.net> wrote:
>
> Yes. But you have a really hacky environment :P
actually not. We have an old LDAP which we want to retire this year. And we also have Windows AD, which offers LDAP. So
theidea is to switch the LDAP environments in PostgreSQL. The old LDAP uses aaa-u1, aaa-u2, etc. which are also
accountsin the database. But our Windows AD has bbb-u1, bbb-u2, etc. So just switching LDAPs doesn't work. I'd also
haveto rename all users. Though it's just a one-liner, it would mean that users have to use their new names from one
secondto the next. But we want a transition phase if that's possible.
> You could have a third LDAP instance that federates the other two.
>
> Another option could be to proxy it through something like FreeRADIUS.
> I'm fairly certain it can also move on to a secondary server if the
> first one reports login failure.
I can't. I'm no sysadmin and have no rights on systems to install anything except the PostgreSQL software. Also, the
networkguys wouldn't be too happy. And then, there is a problem introducing new software, which is possible, but can
takemonths for us to get the necessary permissions.
> I assume you're not using any of the standard packagings then, as I
> believe they all come with support for GSSAPI. Yet another reason why
> it's a good idea to use that :)
no, we always compile from source and only what we need. I can build packages with GSSAPI compiled into it but it does
requireme do have a small service interruption if I install packages with the same PostgreSQL version number, a
situation,which I'd like to avoid, if possible.
> And no, gssapi does not use certificates.
that's good news as I'm not really happy about all that certificate stuff. ;-)
> pg_ident only works for authentication methods where the username
> comes from the other system, such as with Kerberos. It does not work
> for LDAP, where the username is specified in PostgreSQL.
I don' understand that. The doc says it should work for all external authentication services. Maybe I misread
something?...
Cheers,
Paul