Обсуждение: Coordinating database user accounts with active directory

I have a client that wants to use active directory for authentication
of connections to a postgres database.  They want to be able to
monitor what each user is doing so believe that the best solution is
to have one database account per user.  However, they do not want to
have to manage the database accounts.

Is there a simple way of coordinating active directory users with
database accounts?  I am happy to write tools to deal with the
database end of things, but have no experience with active
directory.  Any and all suggestions would be appreciated.

__
Marc

On 21/11/2007 19:44, Marc Munro wrote:
> Is there a simple way of coordinating active directory users with
> database accounts?  I am happy to write tools to deal with the database
> end of things, but have no experience with active directory.  Any and

You could use a VBScript script on the domain server to dump a
comma-delimited list of users, then use this to generate CREATE USER
statements to create the database users.

I'm not an expert on AD, but I recently had to write a script to
bulk-create user accounts in AD, and I'd be happy to share that with you
if it would give you some pointers.

Ray.


---------------------------------------------------------------
Raymond O'Donnell, Director of Music, Galway Cathedral, Ireland
rod@iol.ie
---------------------------------------------------------------

Raymond O'Donnell wrote:
> On 21/11/2007 19:44, Marc Munro wrote:
>> Is there a simple way of coordinating active directory users with
>> database accounts?  I am happy to write tools to deal with the
>> database end of things, but have no experience with active directory.
>> Any and
>
> You could use a VBScript script on the domain server to dump a
> comma-delimited list of users, then use this to generate CREATE USER
> statements to create the database users.

The tricky bit (I'd guess) is to trigger a script when a new user is
created on the Windows side of things. There seem to be people
authenticating via Windows otherwise.

I don't know of a hook on Windows that fires on the user-creation event.
Would a cron-job + samba tools do, or does it need to be up + running
the same instant as the Windows-user?

--
   Richard Huxton
   Archonet Ltd

On 21/11/2007 22:32, Richard Huxton wrote:
> The tricky bit (I'd guess) is to trigger a script when a new user is
> created on the Windows side of things. There seem to be people

Yeah... I was thinking in terms of doing it just once, which is what I
do - it's for an educational institution, meaning it has to be done just
once a year, so I do it by hand when all the students are registered.

> I don't know of a hook on Windows that fires on the user-creation event.
> Would a cron-job + samba tools do, or does it need to be up + running
> the same instant as the Windows-user?

I don't either. Maybe a cron job that checks for new AD users via LDAP
and creates the database user when one is found? I don't know whether
you can tell when a user is created from LDAP....if you can, then new
users are those created since the last time you checked; and if not,
then you have to store all the users created thus far so as to tell
who's new, so it gets a little messy.

Just thinking out loud....

Ray.

---------------------------------------------------------------
Raymond O'Donnell, Director of Music, Galway Cathedral, Ireland
rod@iol.ie
---------------------------------------------------------------