Обсуждение: [HACKERS] USER Profiles for PostgreSQL

Поиск
Список
Период
Сортировка

[HACKERS] USER Profiles for PostgreSQL

От
chiru r
Дата:
Hi All,

Good Morning.

We are looking  for User profiles in ope source PostgreSQL.

For example, If a  user password failed n+ times while login ,the user access has to be blocked few seconds. 
 
Please let us know, is there any plan to implement user profiles in feature releases?.


Thanks,
Chiranjeevi


 

Re: [HACKERS] USER Profiles for PostgreSQL

От
Tom Lane
Дата:
chiru r <chirupg@gmail.com> writes:
> We are looking  for User profiles in ope source PostgreSQL.
> For example, If a  user password failed n+ times while login ,the user
> access has to be blocked few seconds.
> Please let us know, is there any plan to implement user profiles in feature
> releases?.

Not particularly.  You can do that sort of thing already via PAM,
for example.
        regards, tom lane


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [GENERAL] [HACKERS] USER Profiles for PostgreSQL

От
Stephen Frost
Дата:
Tom,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> chiru r <chirupg@gmail.com> writes:
> > We are looking  for User profiles in ope source PostgreSQL.
> > For example, If a  user password failed n+ times while login ,the user
> > access has to be blocked few seconds.
> > Please let us know, is there any plan to implement user profiles in feature
> > releases?.
>
> Not particularly.  You can do that sort of thing already via PAM,
> for example.

Ugh, hardly and it's hokey and a huge pain to do, and only works on
platforms that have PAM.

Better is to use an external authentication system (Kerberos, for
example) which can deal with this, but I do think this is also something
we should be considering for core, especially now that we've got a
reasonable password-based authentication method with SCRAM.

Thanks!

Stephen

Re: [GENERAL] [HACKERS] USER Profiles for PostgreSQL

От
Melvin Davidson
Дата:


On Tue, Sep 19, 2017 at 1:28 PM, Stephen Frost <sfrost@snowman.net> wrote:
Tom,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> chiru r <chirupg@gmail.com> writes:
> > We are looking  for User profiles in ope source PostgreSQL.
> > For example, If a  user password failed n+ times while login ,the user
> > access has to be blocked few seconds.
> > Please let us know, is there any plan to implement user profiles in feature
> > releases?.
>
> Not particularly.  You can do that sort of thing already via PAM,
> for example.

Ugh, hardly and it's hokey and a huge pain to do, and only works on
platforms that have PAM.

Better is to use an external authentication system (Kerberos, for
example) which can deal with this, but I do think this is also something
we should be considering for core, especially now that we've got a
reasonable password-based authentication method with SCRAM.

Thanks!

Stephen

Perhaps, as an alternative, although not currently supported, connection attempts can be added in the future to "Event Triggers"?
Users could then create a trigger function to enable/disable logins.

--
Melvin Davidson
I reserve the right to fantasize.  Whether or not you
wish to share my fantasy is entirely up to you.

Re: [GENERAL] [HACKERS] USER Profiles for PostgreSQL

От
Bruce Momjian
Дата:
On Tue, Sep 19, 2017 at 01:28:11PM -0400, Stephen Frost wrote:
> Tom,
> 
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > chiru r <chirupg@gmail.com> writes:
> > > We are looking  for User profiles in ope source PostgreSQL.
> > > For example, If a  user password failed n+ times while login ,the user
> > > access has to be blocked few seconds.
> > > Please let us know, is there any plan to implement user profiles in feature
> > > releases?.
> > 
> > Not particularly.  You can do that sort of thing already via PAM,
> > for example.
> 
> Ugh, hardly and it's hokey and a huge pain to do, and only works on
> platforms that have PAM.
> 
> Better is to use an external authentication system (Kerberos, for
> example) which can deal with this, but I do think this is also something
> we should be considering for core, especially now that we've got a
> reasonable password-based authentication method with SCRAM.

Does LDAP do this too?

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [GENERAL] [HACKERS] USER Profiles for PostgreSQL

От
chiru r
Дата:
Yes, LDAP will do. However we need to sync the user accounts and  groups between AD and PG servers.and then AD profiles will apply to PG user accounts for authentication.

It is good if we have user profiles in core PostgreSQL database system. So it will add more security.

Thanks,
Chiranjeevi

On Tue, Sep 19, 2017 at 3:09 PM, Bruce Momjian <bruce@momjian.us> wrote:
On Tue, Sep 19, 2017 at 01:28:11PM -0400, Stephen Frost wrote:
> Tom,
>
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > chiru r <chirupg@gmail.com> writes:
> > > We are looking  for User profiles in ope source PostgreSQL.
> > > For example, If a  user password failed n+ times while login ,the user
> > > access has to be blocked few seconds.
> > > Please let us know, is there any plan to implement user profiles in feature
> > > releases?.
> >
> > Not particularly.  You can do that sort of thing already via PAM,
> > for example.
>
> Ugh, hardly and it's hokey and a huge pain to do, and only works on
> platforms that have PAM.
>
> Better is to use an external authentication system (Kerberos, for
> example) which can deal with this, but I do think this is also something
> we should be considering for core, especially now that we've got a
> reasonable password-based authentication method with SCRAM.

Does LDAP do this too?

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +

Re: [GENERAL] [HACKERS] USER Profiles for PostgreSQL

От
Stephen Frost
Дата:
Bruce,

* Bruce Momjian (bruce@momjian.us) wrote:
> On Tue, Sep 19, 2017 at 01:28:11PM -0400, Stephen Frost wrote:
> > * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > > chiru r <chirupg@gmail.com> writes:
> > > > We are looking  for User profiles in ope source PostgreSQL.
> > > > For example, If a  user password failed n+ times while login ,the user
> > > > access has to be blocked few seconds.
> > > > Please let us know, is there any plan to implement user profiles in feature
> > > > releases?.
> > >
> > > Not particularly.  You can do that sort of thing already via PAM,
> > > for example.
> >
> > Ugh, hardly and it's hokey and a huge pain to do, and only works on
> > platforms that have PAM.
> >
> > Better is to use an external authentication system (Kerberos, for
> > example) which can deal with this, but I do think this is also something
> > we should be considering for core, especially now that we've got a
> > reasonable password-based authentication method with SCRAM.
>
> Does LDAP do this too?

Active Directory does this, with Kerberos as the authentication
mechanism.  Straight LDAP might also support it, but I wouldn't
recommend it because it's really insecure as the PG server will see the
user's password in the cleartext (and it may be sent in cleartext across
the network too unless careful steps are taken to make sure that the
client only ever connects over SSL to a known trusted and verified
server).

Thanks!

Stephen