LDAP authentication
Does anyone know if anyone has tried to use LDAP for authentication?
The management here is insisting on it. I'll write it from scratch if
neccassary. Any hints or pointers are appreciated.
Thanks
Richard
Postgresql supports pam. And there is pam_ldap. I haven't tried out yet. But
I'm sure you need to create users in postgresql. Just authentication comes
through pam. There is no nss_ldap as far as I know.
Tommi
Am Mittwoch, 23. Oktober 2002 21:38 schrieb Richard Ray:
Show quoted text
Does anyone know if anyone has tried to use LDAP for authentication?
The management here is insisting on it. I'll write it from scratch if
neccassary. Any hints or pointers are appreciated.Thanks
Richard---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
I have used LDAP authentication with PHP. It works really well..I have
even done it with using MS domain controllers to....
On Wed, 2002-10-23 at 13:38, Richard Ray wrote:
Does anyone know if anyone has tried to use LDAP for authentication?
The management here is insisting on it. I'll write it from scratch if
neccassary. Any hints or pointers are appreciated.Thanks
Richard---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
--
S RAY HUNTER
email: shunter@venticon.com
email: rhunter@venticon.com
www: http://venticon.com
I have used LDAP authentication with PHP. It works really well..I have
even done it with using MS domain controllers to....
On Wed, 2002-10-23 at 13:38, Richard Ray wrote:
Does anyone know if anyone has tried to use LDAP for authentication?
The management here is insisting on it. I'll write it from scratch if
neccassary. Any hints or pointers are appreciated.Thanks
Richard---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
--
Thank you,
Ray Hunter
I've had no luck gettting PAM to work with PostgreSQL on HP/UX 11.00 and I
read that PostgreSQL doesn't allow user triggers on system tables. Not much
left but hack the PostgreSQL authentication code.
Richard
Show quoted text
On Wednesday 23 October 2002 03:29 pm, you wrote:
Postgresql supports pam. And there is pam_ldap. I haven't tried out yet.
But I'm sure you need to create users in postgresql. Just authentication
comes through pam. There is no nss_ldap as far as I know.Tommi
Am Mittwoch, 23. Oktober 2002 21:38 schrieb Richard Ray:
Does anyone know if anyone has tried to use LDAP for authentication?
The management here is insisting on it. I'll write it from scratch if
neccassary. Any hints or pointers are appreciated.Thanks
Richard---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly
Create a file named postgresql in your /etc/pam.d/ directory with this
content
#%PAM-1.0
auth required /lib/security/pam_ldap.so #nullok #set_secrpc
account required /lib/security/pam_ldap.so
and something like this in your pg_hba.conf
host all 10.0.0.0 255.0.0.0 pam
It worked for me. Unfortunately/fortunatly you have to create each user who
will
acces the database but this can be done easily (i.e. through a php script
on an
autheticated web location)
Fathi Ben Nasr
Tommi Mäkitalo a écrit :
Postgresql supports pam. And there is pam_ldap. I haven't tried out yet.
But
I'm sure you need to create users in postgresql. Just authentication
comes
through pam. There is no nss_ldap as far as I know.
Tommi
Am Mittwoch, 23. Oktober 2002 21:38 schrieb Richard Ray:
Does anyone know if anyone has tried to use LDAP for authentication?
The management here is insisting on it. I'll write it from scratch if
neccassary. Any hints or pointers are appreciated.Thanks
Richard---------------------------(end of broadcast)
---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to
majordomo@postgresql.org)
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly
(See attached file: smime.p7s)
Attachments:
Hi,
I just tried out. Pam works fine with pam_ldap on linux. But as a told you
need to create databaseusers. I just configured postgresql with --with-pam
and created (or copied one and modified) a /etc/pam.d/postgresql. Her is it:
#%PAM-1.0
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_unix.so nullok try_first_pass #set_secrpc
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_pwcheck.so nullok
password required pam_ldap.so use_first_pass use_authok
password required pam_unix.so nullok use_first_pass use_authtok
Maybe you can create users with a cronjob, which queries ldap on a daily base
about new (and retired) users. Postgresql do need entries in pg_shadow. I
think it would be hard to hack authentication so that it does not need.
It might be fine to see a generic way to create pg_shadow on the fly like nss
does. It should be a table-function, which might query a ldap-tree.
Tommi
Am Mittwoch, 23. Oktober 2002 23:26 schrieb Richard Ray:
I've had no luck gettting PAM to work with PostgreSQL on HP/UX 11.00 and I
read that PostgreSQL doesn't allow user triggers on system tables. Not much
left but hack the PostgreSQL authentication code.Richard
On Wednesday 23 October 2002 03:29 pm, you wrote:
Postgresql supports pam. And there is pam_ldap. I haven't tried out yet.
But I'm sure you need to create users in postgresql. Just authentication
comes through pam. There is no nss_ldap as far as I know.Tommi
Am Mittwoch, 23. Oktober 2002 21:38 schrieb Richard Ray:
Does anyone know if anyone has tried to use LDAP for authentication?
The management here is insisting on it. I'll write it from scratch if
neccassary. Any hints or pointers are appreciated.Thanks
Richard---------------------------(end of
broadcast)--------------------------- TIP 2: you can get off all lists
at once with the unregister command (send "unregister
YourEmailAddressHere" to majordomo@postgresql.org)---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
--
Dr. Eckhardt + Partner GmbH
http://www.epgmbh.de
It is true that you have to create the users on PostGreSQL level too.
But once they are created on PG-level, PAM does work fine.
I had the same problem. I create a utility that synchronises the
postgresql users/groups with LDAP. It is not done automatically. You
have to invoke a function for it.
It is pretty ugly for the moment, it was my first experience writing
C-functions for PostGreSQL. I am rewriting it for PostGreSQL 7.3b2,
which has a way nicer API for outputting tables in C.
It does indeed consist of some C and some PLPGSQL functions.
If you're interested, please shoot me an email ...
Evert
shunter@venticon.com (Ray Hunter) wrote in message news:<1035406530.2775.6.camel@pclnxrhunter.digitalglobe.com>...
Show quoted text
I have used LDAP authentication with PHP. It works really well..I have
even done it with using MS domain controllers to....On Wed, 2002-10-23 at 13:38, Richard Ray wrote:
Does anyone know if anyone has tried to use LDAP for authentication?
The management here is insisting on it. I'll write it from scratch if
neccassary. Any hints or pointers are appreciated.Thanks
Richard---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)--
S RAY HUNTER
email: shunter@venticon.com
email: rhunter@venticon.com
www: http://venticon.com---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster