Date: Wed, 25 Jun 2025 13:55:35 +0200
From: "Peter J. Holzer" <hjp-pgsql@hjp.at>
To: pgsql-general@lists.postgresql.org
Subject: Re: password rules
Message-ID: <20250625115535.bd3lmsslyd36qsha@hjp.at>
Mail-Followup-To: pgsql-general@lists.postgresql.org
References: <65b65e9f-b4b0-4927-b872-d24dff11449b@crashdump.ch>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="b7ti7f5nou7zakbi"
Content-Disposition: inline
In-Reply-To: <65b65e9f-b4b0-4927-b872-d24dff11449b@crashdump.ch>
Archived-At: <https://www.postgresql.org/message-id/20250625115535.bd3lmsslyd36qsha%40hjp.at>
Precedence: bulk


--b7ti7f5nou7zakbi
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2025-06-23 16:35:35 +0200, raphi wrote:
> To be fair, setting up LDAP is very easy in PG, just one line in hba.conf
> and all is done. But sadly, that's only where the problems begin. The
> difficult part is to embedd this setup into a company, especially a large
> one as I work for with over 1000 PG databases and at least that many role=
s.
> Someone needs to be able to manage the passwords in LDAP and this means
> someone has to decide who can change which passwords, which is usually wh=
ere
> some sort of Identity and Access Management (IAM) comes into place.
>=20
> We already have LDAP and IAM in place in our organization for many other
> things, but IAM identities are coupled to a real person, not a team. Which
> means only one person in the team would be able to set a new password and
> when that person leaves the team, IAM rights need to be revoked and given=
 to
> a new person. Doable, but quite a pane in the behind, especially when that
> one person happens to be on holidays.

I don't see why that should be the case. You could either grant
privileges to more than one person or - preferrably - to a role which is
then granted to the personal roles.

So for example you would authenticate as =ABraphi=BB and I as =ABhjp=BB but=
 we
could both change to =ABfoo_admin=BB or whatever. That would even have the
advantage that we leave an audit trail with our "real" identities.

        hjp

--=20
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp@hjp.at         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"

--b7ti7f5nou7zakbi
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEETtJbRjyPwVTYGJ5k8g5IURL+KF0FAmhb464ACgkQ8g5IURL+
KF2V1w//d2x/L9vyLpeR1npAL8D8/5TbfeSBeQNu0eKmLj/V3sJQT8Ha+WOaLzko
EObS5HW4Yook/oEj3O1CgIz85x9Jhu/tnZRBM4TTmzT5+HgbvNO4QokpnJSJPjLk
nCJJl45bxdwibDLRI0EkP6RwDEk9sQnWaLNnDVHpRbef73qVa78vLD1XQbt14POC
DK6sqauxesrCsaxktZ4u5b0euQDlHFTwB625LFOlNTwHbMxKR0AC1hsm3HDYiKiY
7TQ562BGxjYhfsr0xVgSgYJ4vadwgsK3WaHbrTDBLfUuFKIAFiwTnJDwe73WpLA9
IAHfmbqc+ywVPah0MJB69IYlMeAG2aOw+wtq9F3XgULOe9nS5IUxuES1IVRBvWOo
iTBY9HP3mLVp6nsUTjAFvQXwZfMEHQadpRb1u0r3R9ewjwYJbmA7wouHeM4ZLY/e
uFU0Yh3f3YX01iQnXj1bjT9Zl8XKbsDq8dYgaSFzcdITTI3w3QYdoqIiR2SOqunU
8F8TZTds4zDe0Y07V//LRbaR5QQwn/41TOd6QlMV93ZDq7NewrhOWFrGhAqE+Qqh
qmAtnfsjIbq3ZZXiPVLgSCv9cXtYvDQSKzFEGgtfHoUxnRIP6OcjUsW6PBcdtqVJ
KZU+XDRvj4XQ+rY5yOXVqs786QwoYMJp4YjxniX4/Gk/rHHYcRE=
=03It
-----END PGP SIGNATURE-----

--b7ti7f5nou7zakbi--