Re: Fwd: [GENERAL] Using LDAP for PostgreSQL permissions/authentication

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Friday, September 13, 2013 2:17 PM -1000 Stephan Fabel 
<sfabel@hawaii.edu> wrote:

> > But it doesn't help with the headache of creating the accounts on all the
> > servers, or dropping them as part of employee termination procedures, or
> > doing security audits, or changing permissions on multiple servers when
> > an employee gets a promotion, etc.
>
> Nope; I'd use puppet or chef or something along those lines to deal with
> this aspect, much as I'd do with Unix accounts. ÂUsing nsswitch and
> tying every user name look up to LDAP has certain.. Âdrawbacks.

I would use dynamic groups in LDAP.  It would make all of this trivial.


> > Thus, when I go to log in as wmoran, LDAP checks my password, then
> > informs PostgreSQL to allow me in with specified roles, and I can do
> > operations granted to those roles.
>
> That's a little over-simplistic, isn't it? ÂWhat about objects which are
> created by the 'wmoran' account?

Again, I would use dynamic groups for roles.


> > Obviously, that's not how it works now ... my question is why not? ÂIs
> > it just a matter of nobody's gotten to it yet, or are there issues that
> > make such an implementation difficult/troublesome/impossible? ÂIf it's
> > possible, does anyone have any concept of how hard it would be to
> > implement?

I don't see any issue here that isn't already possible to do with OpenLDAP 
without any particular difficulty.

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra Software, LLC
--------------------
Zimbra ::  the leader in open source messaging and collaboration