Re: Ldap config for Active Directory

Greetings,

* Sylvain Deveaux (Sylvain.Deveaux@niwa.co.nz) wrote:
> Why do you say that you can't use kerberos w/ apps?
>
> I prefer to not reply to this one otherwise I won't be kind with some people... 😅️

... ok, but let's try to make clear the distinction of "$people won't
let me do this" from "this isn't possible" when posting, as otherwise
people who read the lists may get misled or confused.

> Note that using ldap auth means sending the user's password to the PG
> server in cleartext, which is extremely insecure and means that a
> compromised PG server could be used to steal the credentials of any user
> logging in using this method.
>
> I agree... but for now I can't switch a to full Kerberos setup...

I'd suggest you push back a bit harder on this as it's much, much more
secure to use Kerberos and it's how all the various services in the AD
world operate.  Services that pass passwords around in cleartext are
really very insecure.

Thanks,

Stephen