On 17/07/17 00:14, Stephen Frost wrote: >> If it helps, we normally recommend that clients use ldaps for both AD >> and UNIX environments, although this can be trickier from an >> administrative perspective in AD environments because it can require >> changes to the Windows firewall and certificate installation. > > LDAPS is better than straight LDAP, of course, but it still doesn't > address the issue that the password is sent to the server, which both > SCRAM and Kerberos do and is why AD environments use Kerberos for > authentication, and why everything in an AD environment also should use > Kerberos. > > Using Kerberos should also avoid the need to hack the Windows firewall > or deal with certificate installation. In an AD environment, it's > actually pretty straight-forward to add a PG server too. Further, in my > experience at least, there's been other changes recommended by Microsoft > that prevent using LDAP for auth because it's insecure.
Oh sure - I'm not questioning that Kerberos is a far better choice in pure AD environments, it's just that I spend the majority of my time in mixed-mode environments where Windows is very much in the minority. In my experience LDAP is often implemented badly; for example the majority of software still uses simple binds (i.e. plain logins) rather than using SASL binds which support a whole range of better authentication methods (e.g. GSSAPI, and even DIGEST-MD5 has been mandatory for v3 and is implemented on AD). And yes, while better authentication mechanisms do exist, I find that all too often most software packages claim LDAP support rather than Kerberos, and even then it is often limited to LDAP simple binds without ldaps support. ATB, Mark. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
