From: | Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> |
---|---|
To: | Robert Fleming <fleminra(at)gmail(dot)com> |
Cc: | pgsql-admin(at)postgresql(dot)org |
Subject: | Re: LDAP where DN does not include UID attribute |
Date: | 2009-09-14 23:56:42 |
Message-ID: | dcc563d10909141656g390b47eo3e2bd99313348f0b@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
On Mon, Sep 14, 2009 at 5:47 PM, Robert Fleming <fleminra(at)gmail(dot)com> wrote:
> On Mon, Sep 14, 2009 at 4:23 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>
>> Robert Fleming <fleminra(at)gmail(dot)com> writes:
>> > But I would like to authenticate to PostgreSQL using the "uid" LDAP
>> > attribute,
>>
>> What value does that have that would justify doubling the time needed
>> to authenticate? (I presume two LDAP requests will take about twice
>> as long as one...)
>
> That's just the way the company LDAP is setup -- it's out of my control
> unfortunately.
>
> Our schema used to have the uid in the DN, and I always wrote our enterprise
> software to just do the bind without a search. When the LDAP schema
> changed, my reaction was the same as yours, but when I saw that Bugzilla,
> MediaWiki, etc. accommodate it without flinching, I figured it wasn't too
> uncommon, so I changed my own software. Other software that supports it:
> Tiki wiki, Apache's mod_authnz_ldap, ejabberd. I think I had to tweak some
> Perl for jabberd <jabberd.org> to handle it.
>
> It might be twice as slow, but if PostgreSQL were smart or configurable
> enough, it could skip the search when not necessary. So performance needn't
> be impacted.
On a large ldap schema it's WAY more than twice as slow. A Search is
about 10 to 20 times slower on most ldap servers. I've seen machines
handling 1,000 or more auths per second slow to a crawl due to this
type of change.
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Fleming | 2009-09-15 00:23:44 | Re: LDAP where DN does not include UID attribute |
Previous Message | Robert Fleming | 2009-09-14 23:47:57 | Re: LDAP where DN does not include UID attribute |