Обсуждение: Managing LDAP User permissions
All; I know from the docs I can deploy LDAP authentication, one we do this how do we manage permissions within the database foe various LDAP users? Can I setup automatic permissions based on LDAP groups? Can we ensure that if an employee leaves then these permissions are automatically removed? Is there a best practice for this? Thanks in advance
Removing user from ldap config will not remove from PG. As Far As Best Practices, I have always Expired the password in PG and comment on that employee left. We still leave theuser intact (with expired psswd) for any audit need. Expiring the psswd also gives you an exact timestamp in the db when they were denied db access. -----Original Message----- From: sbob <sbob@quadratum-braccas.com> Sent: Thursday, July 20, 2023 7:53 AM To: Pgsql-admin <pgsql-admin@lists.postgresql.org> Subject: [EXTERNAL] Managing LDAP User permissions All; I know from the docs I can deploy LDAP authentication, one we do this how do we manage permissions within the database foevarious LDAP users? Can I setup automatic permissions based on LDAP groups? Can we ensure that if an employee leaves then these permissions are automatically removed? Is there a best practice for this? Thanks in advance
That is approach adopted by my previous federal client when an employee or contractor rolls out of the project.
Thanks,
Sarwar
From: Wetmore, Matthew (CTR) <Matthew.Wetmore@express-scripts.com>
Sent: Thursday, July 20, 2023 11:10 AM
To: sbob <sbob@quadratum-braccas.com>; Pgsql-admin <pgsql-admin@lists.postgresql.org>
Subject: Managing LDAP User permissions
Sent: Thursday, July 20, 2023 11:10 AM
To: sbob <sbob@quadratum-braccas.com>; Pgsql-admin <pgsql-admin@lists.postgresql.org>
Subject: Managing LDAP User permissions
Removing user from ldap config will not remove from PG.
As Far As Best Practices, I have always Expired the password in PG and comment on that employee left. We still leave the user intact (with expired psswd) for any audit need.
Expiring the psswd also gives you an exact timestamp in the db when they were denied db access.
-----Original Message-----
From: sbob <sbob@quadratum-braccas.com>
Sent: Thursday, July 20, 2023 7:53 AM
To: Pgsql-admin <pgsql-admin@lists.postgresql.org>
Subject: [EXTERNAL] Managing LDAP User permissions
All;
I know from the docs I can deploy LDAP authentication, one we do this how do we manage permissions within the database foe various LDAP users?
Can I setup automatic permissions based on LDAP groups?
Can we ensure that if an employee leaves then these permissions are automatically removed?
Is there a best practice for this?
Thanks in advance
As Far As Best Practices, I have always Expired the password in PG and comment on that employee left. We still leave the user intact (with expired psswd) for any audit need.
Expiring the psswd also gives you an exact timestamp in the db when they were denied db access.
-----Original Message-----
From: sbob <sbob@quadratum-braccas.com>
Sent: Thursday, July 20, 2023 7:53 AM
To: Pgsql-admin <pgsql-admin@lists.postgresql.org>
Subject: [EXTERNAL] Managing LDAP User permissions
All;
I know from the docs I can deploy LDAP authentication, one we do this how do we manage permissions within the database foe various LDAP users?
Can I setup automatic permissions based on LDAP groups?
Can we ensure that if an employee leaves then these permissions are automatically removed?
Is there a best practice for this?
Thanks in advance