Re: ldapbindpasswdfile

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Thomas Munro <thomas(dot)munro(at)gmail(dot)com>
Cc: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: ldapbindpasswdfile
Date: 2019-05-14 20:24:15
Message-ID: A98C43DA-21BC-4834-8559-B766038E3329@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> On 14 May 2019, at 03:49, Thomas Munro <thomas(dot)munro(at)gmail(dot)com> wrote:

> I propose a new option $SUBJECT so that users can at least add a level of
> indirection and put the password in a file.

+1, seems like a reasonable option to give.

> Draft patch attached.

I might be a bit thick, but this is somewhat hard to parse IMO:

+ File containing the password for user to bind to the directory with to
+ perform the search when doing search+bind authentication

To add a little bit more security around this, does it make sense to check (on
unix filesystems) that the file isn’t world readable/editable?

+ fd = OpenTransientFile(path, O_RDONLY);
+ if (fd < 0)
+ return -1;

cheers ./daniel

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2019-05-14 20:27:47 Re: Inconsistency between table am callback and table function names
Previous Message Andres Freund 2019-05-14 19:23:07 Re: Table AM callback table_complete_speculative()'s succeeded argument is reversed