If you have a "clean" windows setup (i.e. both the client and server is
Windows based) you can use the SSPI single sign setup on the server -
equivalent to "Integrated security" for MS-SQLServer.
In simple terms it means that your windows logon identity automatically
is reused as a postgres user identity without any further setup.
Very popular with my "Always Windows-only !!" customers and a forceful
argument for switching them from MS-SQLServer to Postgres/PostGIS for
spatial data.
https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows
--
Med venlig hilsen / Kind regards
Bo Victor Thomsen
Den 20-11-2019 kl. 22:59 skrev Andreas Neumann:
Hi Alessandro,
To be honest - I don't know much about this single sign-on on Windows.
I just noticed that with some software, one doesn't have to login a
second time. One Login into the Windows system is enough and the other
software can - somehow (I don't know how) - authenticate the user from
the Windwos-Login, without a second log-in. But I don't know how that
works.
It is not super important, but would be somehow convenient, if it
doesn't sacrifice security. Maybe it isn't possible at all.
Andreas
Am 20.11.19 um 17:24 schrieb Alessandro Pasotti:
On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <a.neum...@carto.net
<mailto:a.neum...@carto.net>> wrote:
Hi Jürgen,
I wouldn't know how this works. When I create a new PG
connection, it forces me to add a username and password. I can't
create a new connection without specifying one. Even if the
Windows password manager already knows my windows credentials,
which are the same as the PG credentials. As a "stupid user" I
would either expect:
- not being asked for credentials (means that QGIS would
automagically forward the Windows credentials)
What if your DNS has been poisoned to hit evil.hacker.com
<http://evil.hacker.com> instead? Would you still want your
credentials to be automatically sent?
- or when creating a new auth-conf, having a choice like "use
windows credentials" and then not being asked for
username/password, because QGIS already knows it from Windows.
I don't get this point: when you enter you credentials in the OS
wallet (password manager) it does not leak them to QGIS, or that
would be another huge security hole.
But maybe I am just not correctly handling it.
The one thing I noticed is that the Windows password manager
automatically loads the master password of the QGIS password
manager. So that one seems to work.
That's the currently supported way to manage credentials: you store
them into the encrypted QGIS auth DB and (optionally) store the
master password in your OS wallet.
In any event, the QGIS auth system is plugin based (C++ plugins) and
other/custom auth methods could be developed if needed.
Cheers
--
Alessandro Pasotti
w3: www.itopen.it <http://www.itopen.it>
_______________________________________________
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
_______________________________________________
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
