Authentication?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentication?

Bjørn T Johansen
Hi.

Is it possible to use one authentication method as default, like LDAP, and if the user is not found, then try to authenticate using
md5/scram-sha-256 ?


Regards,

BTJ

--
-----------------------------------------------------------------------------------------------
Bjørn T Johansen

[hidden email]
-----------------------------------------------------------------------------------------------
Someone wrote:
"I understand that if you play a Windows CD backwards you hear strange Satanic messages"
To which someone replied:
"It's even worse than that; play it forwards and it installs Windows"
-----------------------------------------------------------------------------------------------

Reply | Threaded
Open this post in threaded view
|

Re: Authentication?

David G Johnston
On Wed, Mar 7, 2018 at 6:13 AM, Bjørn T Johansen <[hidden email]> wrote:
Hi.

Is it possible to use one authentication method as default, like LDAP, and if the user is not found, then try to authenticate using
md5/scram-sha-256 ?

​In the "Client Authentication" Chapter:​

​"""
​The first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no “fall-through” or “backup”: if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied.
"""

David J.

Reply | Threaded
Open this post in threaded view
|

Re: Authentication?

Bjørn T Johansen
On Wed, 7 Mar 2018 07:14:55 -0700
"David G. Johnston" <[hidden email]> wrote:

> On Wed, Mar 7, 2018 at 6:13 AM, Bjørn T Johansen <[hidden email]> wrote:
>
> > Hi.
> >
> > Is it possible to use one authentication method as default, like LDAP, and
> > if the user is not found, then try to authenticate using
> > md5/scram-sha-256 ?
> >  
>
> ​In the "Client Authentication" Chapter:​
>
> ​https://www.postgresql.org/docs/10/static/auth-pg-hba-conf.html​
>
> ​"""
> ​The first record with a matching connection type, client address,
> requested database, and user name is used to perform authentication. There
> is no “fall-through” or “backup”: if one record is chosen and the
> authentication fails, subsequent records are not considered. If no record
> matches, access is denied.
> """
>
> David J.

I was hoping I had misunderstood but ok.. :)

BTJ

Reply | Threaded
Open this post in threaded view
|

Re: Authentication?

David G Johnston
On Wed, Mar 7, 2018 at 8:14 AM, Bjørn T Johansen <[hidden email]> wrote:
On Wed, 7 Mar 2018 07:14:55 -0700
"David G. Johnston" <[hidden email]> wrote:

> On Wed, Mar 7, 2018 at 6:13 AM, Bjørn T Johansen <[hidden email]> wrote:
>
> > Hi.
> >
> > Is it possible to use one authentication method as default, like LDAP, and
> > if the user is not found, then try to authenticate using
> > md5/scram-sha-256 ?
> >
>
> ​In the "Client Authentication" Chapter:​
>
> ​https://www.postgresql.org/docs/10/static/auth-pg-hba-conf.html
>
> ​"""
> ​The first record with a matching connection type, client address,
> requested database, and user name is used to perform authentication. There
> is no “fall-through” or “backup”: if one record is chosen and the
> authentication fails, subsequent records are not considered. If no record
> matches, access is denied.
> """
>

I was hoping I had misunderstood but ok.. :)

​In the specific case you describe here you could have the server poll the LDAP server periodically and cache the user names recognized and the leverage:

"​Multiple user names can be supplied by separating them with commas. A separate file containing user names can be specified by preceding the file name with @."

In short, you have to pre-compute which method each user is allowed to access externally then provide that knowledge to PostgreSQL.

David J.

Reply | Threaded
Open this post in threaded view
|

Re: Authentication?

Stephen Frost
In reply to this post by Bjørn T Johansen
Greetings,

* Bjørn T Johansen ([hidden email]) wrote:
> Is it possible to use one authentication method as default, like LDAP, and if the user is not found, then try to authenticate using
> md5/scram-sha-256 ?

Not directly in pg_hba.conf.  You might be able to construct a system
which works like this using PAM though, but it wouldn't be much fun.

LDAP use really should be discouraged as it involves sending the
password to the PG server.  If you are operating in an active directory
environment then you should be using GSSAPI/Kerberos.

SCRAM is a good alternative as it doesn't send the password to the
server either, though that is only available in PG10, of course.

Thanks!

Stephen

Reply | Threaded
Open this post in threaded view
|

Re: Authentication?

Benedict Holland
Not to get off topic, can you authenticate database users via Kerberos? 

Thanks,
~Ben

On Wed, Mar 7, 2018 at 10:19 AM, Stephen Frost <[hidden email]> wrote:
Greetings,

* Bjørn T Johansen ([hidden email]) wrote:
> Is it possible to use one authentication method as default, like LDAP, and if the user is not found, then try to authenticate using
> md5/scram-sha-256 ?

Not directly in pg_hba.conf.  You might be able to construct a system
which works like this using PAM though, but it wouldn't be much fun.

LDAP use really should be discouraged as it involves sending the
password to the PG server.  If you are operating in an active directory
environment then you should be using GSSAPI/Kerberos.

SCRAM is a good alternative as it doesn't send the password to the
server either, though that is only available in PG10, of course.

Thanks!

Stephen


Reply | Threaded
Open this post in threaded view
|

Re: Authentication?

Stephen Frost
Greetings,

* Benedict Holland ([hidden email]) wrote:
> Not to get off topic, can you authenticate database users via Kerberos?

Absolutely.  GSSAPI is the auth method to use for Kerberos.

Thanks!

Stephen

Reply | Threaded
Open this post in threaded view
|

Re: Authentication?

Bjørn T Johansen
In reply to this post by Stephen Frost
On Wed, 7 Mar 2018 10:19:35 -0500
Stephen Frost <[hidden email]> wrote:

> Greetings,
>
> * Bjørn T Johansen ([hidden email]) wrote:
> > Is it possible to use one authentication method as default, like LDAP, and if the user is not found, then try to authenticate using
> > md5/scram-sha-256 ?  
>
> Not directly in pg_hba.conf.  You might be able to construct a system
> which works like this using PAM though, but it wouldn't be much fun.
>
> LDAP use really should be discouraged as it involves sending the
> password to the PG server.  If you are operating in an active directory
> environment then you should be using GSSAPI/Kerberos.
>
> SCRAM is a good alternative as it doesn't send the password to the
> server either, though that is only available in PG10, of course.
>
> Thanks!
>
> Stephen

Ok, thx... Will check out GSSAPI/Kerberos instead... :)

BTJ