Re: LDAP authentication

Hi,

I just tried out. Pam works fine with pam_ldap on linux. But as a told you
need to create databaseusers. I just configured postgresql with --with-pam
and created (or copied one and modified) a /etc/pam.d/postgresql. Her is it:

#%PAM-1.0
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_unix.so nullok try_first_pass #set_secrpc
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_pwcheck.so nullok
password required pam_ldap.so use_first_pass use_authok
password required pam_unix.so nullok use_first_pass use_authtok

Maybe you can create users with a cronjob, which queries ldap on a daily base
about new (and retired) users. Postgresql do need entries in pg_shadow. I
think it would be hard to hack authentication so that it does not need.

It might be fine to see a generic way to create pg_shadow on the fly like nss
does. It should be a table-function, which might query a ldap-tree.

Tommi

Am Mittwoch, 23. Oktober 2002 23:26 schrieb Richard Ray:
> I've had no luck gettting PAM to work with PostgreSQL on HP/UX 11.00 and I
> read that PostgreSQL doesn't allow user triggers on system tables. Not much
> left but hack the PostgreSQL authentication code.
>
> Richard
>
> On Wednesday 23 October 2002 03:29 pm, you wrote:
> > Postgresql supports pam. And there is pam_ldap. I haven't tried out yet.
> > But I'm sure you need to create users in postgresql. Just authentication
> > comes through pam. There is no nss_ldap as far as I know.
> >
> >
> > Tommi
> >
> > Am Mittwoch, 23. Oktober 2002 21:38 schrieb Richard Ray:
> > > Does anyone know if anyone has tried to use LDAP for authentication?
> > > The management here is insisting on it. I'll write it from scratch if
> > > neccassary. Any hints or pointers are appreciated.
> > >
> > > Thanks
> > > Richard
> > >
> > > ---------------------------(end of
> > > broadcast)--------------------------- TIP 2: you can get off all lists
> > > at once with the unregister command (send "unregister
> > > YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 3: if posting/reading through Usenet, please send an appropriate
> > subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> > message can get through to the mailing list cleanly
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org

--
Dr. Eckhardt + Partner GmbH
http://www.epgmbh.de