Re: ldapbindpasswdfile

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Thomas Munro <thomas(dot)munro(at)gmail(dot)com>
Cc: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: ldapbindpasswdfile
Date: 2019-06-21 13:21:42
Message-ID: 20190621132142.GJ2480@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Greetings,

* Thomas Munro (thomas(dot)munro(at)gmail(dot)com) wrote:
> I also know that a motivated user could also use GSSAPI instead of
> LDAP. Do you think we should update the manual to say so, perhaps in
> a "tip" box on the LDAP auth page?

Hrm, not sure how I missed this before, but, yes, I'm all for adding a
'tip' box on the LDAP auth page which recommends use of GSSAPI when
available (such as when operating in an Active Directory
environment...). Note that, technically, you can run LDAP without using
Active Directory and without running any kind of KDC, so we can't just
blanket say "use GSSAPI" because there exists use-cases where that isn't
an option.

Not that I've ever actually *encountered* such an environment, but
people have assured me that they do, in fact, exist, and that there are
users of PG LDAP auth with such a setup who would be upset to see
support for it removed.

Anyhow, yes, a 'tip' would be great to add.

Thanks,

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2019-06-21 13:25:31 Re: using explicit_bzero
Previous Message Tomas Vondra 2019-06-21 10:25:50 Re: O(N^2) when building multi-column MCV lists