Re: TODO: GNU TLS

> > I do not like --with-krb5 because it has extremely limited real world
> > use.
>
> Riiigghhhttt... Only every Windows setup which uses Active Directory,
> most major universities, and certain large corporations (uh, AOL?) would
> even think to use something like Kerberos!

I said "Extremely Limited" real world use. Between just two of my
customers, in the next 2 years we (CMD) will have 12 thousand postgresql
installations. Not one of them will use Kerberos.

>
> > I do not like --with-pam but only because I have never gotten it to
> > work.
>
> We use it on some of our production systems (since it can provide
> cracklib, password expiration, etc, and the postgres instance inside
> it's own vserver so it doesn't hurt as much to make the passwd/shadow
> files available to it...). I'd be happy to help you get it to work if
> you'd like, and I could even provide you with some PG/C functions to use
> password changing and password aging. :)

Oh, I am sure it is great. I have just never tried that hard to get it
to work :)

> > I do like --with-ldap because it is pretty much standard within
> > directory lookups by the nature of Active Directory.
>
> Funny you like LDAP but not Kerberos, both of which are part of Active
> Directory... Using LDAP simple binds to AD for authentication is
> *quite* silly and *much* less secure than using Kerberos...

Yes but LDAP gives me a lot of other things, easily and it has SSL. SSL
+ Firewall gives me 98% of the security I need.

Sincerely,

Joshua D. Drake

--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate