Обсуждение: LDAP Authentication
I am currently setting up various environments to allow our developers to login to Postgresql using their LDAP password. Also limiting the servers they can access.
I have successfully setup LDAP and setup simple authentication using simple bind. This was my test case. Now I need to move to the next lever which would be search and bind. This will allow me to grant access to particular servers for some people. I am not sure where or how the ldapsearchattibute comes into play.
For example, this would be the search filter I will use: (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))
So it makes sure that the object class is possixAccount and the user id is $username, next match is, host = $hostname or host = $fqdn or host = *. These are attributes on the user's account.
How will Postgres match the username? How does it pass it to the query, everything else I can hardcode into the search filter.
Would an ldapurl be better here? But again how will I pass the uid to the ldapurl?
Thanks,
-Joseph Kregloh
On 4/22/2015 11:37 AM, Joseph Kregloh wrote: > I have successfully setup LDAP and setup simple authentication using > simple bind. This was my test case. Now I need to move to the next > lever which would be search and bind. This will allow me to grant > access to particular servers for some people. I am not sure where or > how the ldapsearchattibute comes into play. > you would do this by CREATE USER on the various servers for those people, along with GRANT. LDAP only provides authentication, it doesn't manage authorization. -- john r pierce, recycling bits in santa cruz
On Wed, Apr 22, 2015 at 5:30 PM, John R Pierce <pierce@hogranch.com> wrote:
On 4/22/2015 11:37 AM, Joseph Kregloh wrote:I have successfully setup LDAP and setup simple authentication using simple bind. This was my test case. Now I need to move to the next lever which would be search and bind. This will allow me to grant access to particular servers for some people. I am not sure where or how the ldapsearchattibute comes into play.
you would do this by CREATE USER on the various servers for those people, along with GRANT. LDAP only provides authentication, it doesn't manage authorization.
I see. That would still require a manual process to create the user on each server. I was planing on using some already existing scripts to create the user automatically on all servers and then LDAP would authorize depending on attributes in their LDAP profile.
--
john r pierce, recycling bits in santa cruz
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 4/22/2015 2:57 PM, Joseph Kregloh wrote:
I see. That would still require a manual process to create the user on each server. I was planing on using some already existing scripts to create the user automatically on all servers and then LDAP would authorize depending on attributes in their LDAP profile.
but thats not how it works, so all the 'planing' in the world won't change a thing.
access rights per database are managed with GRANT, users must be CREATE USER on each server regardless of how they are authenticated.
-- john r pierce, recycling bits in santa cruz
W dniu 23.04.2015 o 00:06, John R Pierce pisze:
1. postgresql maintains whatever's GRANTed within its system tables.
2. postgresql supports DBLINK
<whatif>
there was a way to supplement (join) system rights table with DBLINKed LDAP?
</whatif>
-R
As I understand:On 4/22/2015 2:57 PM, Joseph Kregloh wrote:I see. That would still require a manual process to create the user on each server. I was planing on using some already existing scripts to create the user automatically on all servers and then LDAP would authorize depending on attributes in their LDAP profile.
but thats not how it works, so all the 'planing' in the world won't change a thing.
access rights per database are managed with GRANT, users must be CREATE USER on each server regardless of how they are authenticated.
1. postgresql maintains whatever's GRANTed within its system tables.
2. postgresql supports DBLINK
<whatif>
there was a way to supplement (join) system rights table with DBLINKed LDAP?
</whatif>
-R