| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Scot Kreienkamp" <SKreien(at)la-z-boy(dot)com> |
| Cc: | ray(at)teladesign(dot)ie, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: slightly off-topic: Central Auth |
| Date: | 2009-10-16 22:40:17 |
| Message-ID: | 13105.1255732817@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"Scot Kreienkamp" <SKreien(at)la-z-boy(dot)com> writes:
> On 16/10/2009 19:38, Scot Kreienkamp wrote:
>> ... We are a largely Windows shop with many app and
>> database servers running Linux. The Linux environment is growing too
>> large not to do centralized authentication of some kind.
> So I guess what I see taking shape is setting up everything to auth
> against PAM locally, then setting up local PAM to auth to a remote
> source.
What are you using for central auth in the Windows portions of your
shop?
What I'd suggest is that you standardize on Kerberos auth (that's what
it's called in the Unix world, MS might have another name for it).
You can definitely plug Linux into an Active Directory server for this,
and I believe that you have the option to switch it around in future
if you decide you'd rather have a Linux machine as your central auth
server.
If you decide to go with this approach and use PAM as intermediary,
you'll need the patch I just committed in response to bug #5121 --- it
turns out nobody had ever tried that with Postgres before :-(. But
I think it's also possible to just use PG's native Kerberos support
with AD, which would explain why nobody had tried it.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2009-10-16 22:49:37 | Re: slightly off-topic: Central Auth |
| Previous Message | Scott Marlowe | 2009-10-16 21:51:34 | Re: db not dumping properly, or at least not restoring |