On 16/07/17 23:26, Thomas Munro wrote: > Thank you very much for this feedback and example, which I used in the > documentation in the patch. I see similar examples in the > documentation for other things on the web. > > I'll leave it up to Magnus and Stephen to duke it out over whether we > want to encourage LDAP usage, extend documentation to warn about > cleartext passwords with certain LDAP implementations or > configurations, etc etc. I'll add this patch to the commitfest and > get some popcorn.
If it helps, we normally recommend that clients use ldaps for both AD and UNIX environments, although this can be trickier from an administrative perspective in AD environments because it can require changes to the Windows firewall and certificate installation. Whilst OpenLDAP will support ldap+starttls you can end up with some clients with starttls either disabled or misconfigured sending plaintext passwords over the wire regardless, so it's generally easiest to firewall ldap port 389 at the edge of the trusted VLAN so that only ldaps port 636 connections make it out onto the untrusted network hosting the local AD/OpenLDAP server. ATB, Mark. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
