[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication in 1.3 (was Re: State of Perl-based database setup utilities for LedgerSMB 1.3)



Hi David,

On Sat, May 28, 2011 at 8:17 PM, David F. Skoll <..hidden..> wrote:
> On Sat, 28 May 2011 10:07:56 -0700
> Chris Travers <..hidden..> wrote:
>
>> In other words, LedgerSMB doesn't authenticate users in 1.3, nor is it
>> the final check against exceeding permissions.  These are both handled
>> by PostgreSQL.
>
> Really?
>
> I was unaware of that.  I do not like that approach.

Thanks for sharing your concerns.

> We run our LSMB
> 1.2 installation on a machine that says "local all all trust" in
> pg_hba.conf; no normal users have accounts on that machine.
>
> Making application users into database roles is a bad decision, IMO.
> It forces you to use PostgreSQL's auth mechanism which, while
> admittedly "mature and well-tested", might not be the most convenient
> way to manage users in the application.

You're aware that the PostgreSQL versions nowadays allow
authentication against its own database, Kerberos,
LDAP/ActiveDirectory and PAM out of the box?

>  I hope that you rethink this.
> It's a dealbreaker for me and means we can't use LSMB 1.3.

What specifically goes wrong in your server management processes when
LSMB uses PostgreSQL authentication, taking into account that 1.3
comes preconfigured to connect through the IP interface, which is
probably not configured as "all all trust" even in your company.

Bye,


Erik.