Re: Authentication in 1.3

["Chris Travers" <..hidden..>]

On Jan 30, 2008 12:36 PM, The Anarcat <..hidden..> wrote:

On Wed, Jan 30, 2008 at 11:24:41AM +0000, ..hidden.. wrote:
> That said, Postgres does provide for LDAP, Kerberos and PAM-based
> authentication, so it is still possible to have external authentication
> for LSMB, just one level removed.  I had LDAP in mind anyway...

Having participated in that discussion about authentication, I can only
applaud the direction 1.3 is taking, in that case.

However, the above makes me wonder:

What happens when you plug postgres into (say) kerberos? All Kerberos
users become pgsql users? And all pgsql users are necessarly kerberos
users?

Not quite.

You still have to create the user in PostgreSQL.  It would be more accurate to say
"All Kerberos users are potential PostgreSQL users, and all PostgreSQL users *MUST* be Kerberos users to access systems where Kerberos is set."

Basically, PgSQL still needs to know about the users and still must handle the security and authorization/auditing components.  However PgSQL users could then use Kerberos to prove their identity to PostgreSQL.  Hence Kerberos is only one A out of the AAA system.

This sounds a bit problematic to my ears in the traditionnal context of
having "one user per CMS install", for example, on web applications.
(e.g. I don't want my Drupal database user to have an account in the
Kerberos database...)

Take a look at the documentation regarding the pg_hba.conf.  Kerberos (or any other authentication option) can be enabled per remote-host/user/database combination.

Best Wishes,
Chris Travers