Hi!

I want to pull authorization information from LDAP for my PostgreSQL
database. I use kerberos for authentication, so I do *not* want to use
LDAP for authentication. I want to pull group membership from LDAP and
match it to the kerberos-provisded usernames. Preferrably the users
should be auto-created if needed, but the groups are created by the
admin (users shuold only be autocreated if they are members of these
groups, of course).

I see two ways of doing this:
1) Have an external process that syncs database users and groups to the
LDAP directory. I have no need for "instant updates" (if a new user is
added, it's Ok if it takes an hour or so before he can log in to the
database). Does somebody know of a tool that does this already?

2) Somehow have this functionality in the backend authorization code -
"native support for LDAP groups". Those who have digged around those
parts of the code, is this something that seems reasonable to do? Is it
something we'd want in the backend at all?


//Magnus


---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match

* Magnus Hagander (mha@sollentuna.net) wrote:
> I want to pull authorization information from LDAP for my PostgreSQL
> database. I use kerberos for authentication, so I do *not* want to use
> LDAP for authentication. I want to pull group membership from LDAP and
> match it to the kerberos-provisded usernames. Preferrably the users
> should be auto-created if needed, but the groups are created by the
> admin (users shuold only be autocreated if they are members of these
> groups, of course).

Kind of a neat idea, but...

> I see two ways of doing this:
> 1) Have an external process that syncs database users and groups to the
> LDAP directory. I have no need for "instant updates" (if a new user is
> added, it's Ok if it takes an hour or so before he can log in to the
> database). Does somebody know of a tool that does this already?

I don't know of a tool that does it already but it doesn't sound too
difficult to do, honestly.

> 2) Somehow have this functionality in the backend authorization code -
> "native support for LDAP groups". Those who have digged around those
> parts of the code, is this something that seems reasonable to do? Is it
> something we'd want in the backend at all?

The user/group system is having something of an overhaul at the moment.
Basically I'm working on implementing roles. I think the problem at the
moment is that Postgres has no system in place for checking user or
group information externally/dynamically during operation really.
There's some support in the authentication code for checking external
sources (Kerberos, PAM, etc) for users. Once you're connected and
authenticated though, all of the user information, group information,
access controls, etc, are done using Postgres' 'system cache' and the
system tables/indexes. Changing that would require quite a bit of
effort...

Stephen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCdjwlrzgMPqB3kigRAkG7AJ0XFnFqUTkCKGDZwnlbnv NjGEhhygCdFpGl
UgJUqDa0uQPTQb5dPefeqGQ=
=ayrw
-----END PGP SIGNATURE-----