Re: Anyone? Best way to authenticate postgres against

Stephen Frost wrote:
> * John McCawley (nospam@hardgeus.com) wrote:
>> (I am working on this project with Derrick.) We have to use the Active
>> Directory to authenticate not only users from our client-side app (We're
>> attempting to use PostgreSQL essentially as a proxy authentication
>> mechanism), but also for connections to the SFTP server, and finally our
>> web app. Rather than doing three separate binding mechanisms, we wanted
>> to do the PAM/AD work once, and then have everything else defer to PAM
>> for authentication.

Ok. That certainly makes sense. Just that I can't help you then :-)



> Have you considered using Kerberos to auth against AD instead of trying
> to use LDAP binding?  If you still want to use PAM then you might check
> out libpam-krb5, which from a bit of googling appears to work w/ AD
> Kerberos.  Of course, an alternative might be to try using the native
> Kerberos support in Postgres which I've heard may work w/ the Postgres
> ODBC driver...

The native one works very well with the ODBC driver, and should work
with anything based off libpq. Which means anything that's not Java or
.NET, I think.


> Personally, I've gotten the Postgres ODBC driver working under windows
> with MIT Kerberos and I've gotten Firefox under Windows working w/ MIT
> Kerberos and using negotiate with Apache2 to authenticate users of
> PhpPgAdmin to Postgres.  I'm pretty sure all of this is possible with AD
> instead of MIT Kerberos, or possibly even through a cross-realm setup.

It works with AD on the server side, you still need to install MIT
Kerberos on the client.

//Magnus