Re: Best practice? Web application: single PostgreSQL

From: "Keith G(dot) Murphy" <keithmur(at)mindspring(dot)com>
To: johnsw(at)wardbrook(dot)com
Cc: pgsql-general <pgsql-general(at)postgresql(dot)org>
Subject: Re: Best practice? Web application: single PostgreSQL
Date: 2004-01-13 17:15:30
Message-ID: 400427B2.90908@mindspring.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

John Sidney-Woollett wrote:

> Keith G. Murphy said:
>
>>That sounds like an excellent compromise. How do you typically handle
>>the mechanics of authentication from web server to PostgreSQL on the
>>connect, using this scheme?
>
>
> Sorry but I can't help you out here, I'm too much of a newbie with
> Postgres - I was hoping that someone else would answer your part 1! :)
>
> John
>
Perhaps I can answer my own question. I could use ident and a map that
lists the web server username as able to map to the different "role"
usernames. Unfortunately, that still would allow the web server account
to "fake" role names.

If the "real" PostgreSQL accounts do not coincide to the
browser-authenticated usernames, I don't see a good way to use PAM/LDAP
or another mechanism to require that PostgreSQL itself makes sure that
the given username and password are valid. Not saying that's a big
problem, but...

Hmmm, mightn't it be kind of nice if there were PAM or krb5 maps in
addition to ident maps?
--
Why waste time learning when ignorance is instantaneous?
-- Hobbes

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message John Sidney-Woollett 2004-01-13 17:24:11 Re: Best practice? Web application: single PostgreSQL
Previous Message Bernd Helmle 2004-01-13 17:13:14 Re: Reallife szenario for GEQO