Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1rxkvp-00BYVa-Th
	for pgsql-general@arkaria.postgresql.org; Fri, 19 Apr 2024 09:53:22 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1rxkvo-000Vz5-Cm
	for pgsql-general@arkaria.postgresql.org; Fri, 19 Apr 2024 09:53:20 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <john.buoro@au.harveynorman.com>)
	id 1rxdRS-00D9FP-VK
	for pgsql-general@lists.postgresql.org; Fri, 19 Apr 2024 01:53:31 +0000
Received: from au-smtp-delivery-121.mimecast.com ([103.96.23.121])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <john.buoro@au.harveynorman.com>)
	id 1rxdRO-003Xl5-PR
	for pgsql-general@postgresql.org; Fri, 19 Apr 2024 01:53:29 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=au.harveynorman.com;
	s=mimecast20210112; t=1713491603;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type;
	bh=lVK4QU4CdPg8+7ptjjoSasISJLos0QA6PfCgJZg7+YQ=;
	b=Ec6LCiOg88BcuRPfJmPKm4VDigxeZ/WwfWH3ULXxeeEy0HslZ4Wuz5k03BlV7C6gzkrdpI
	jhagLjR/0+f9k/kRDKFJhmj9fZSaFfyWyIvgoXoBWXcHsfVq5ELY7e+AIva7t0Z+ewjI+N
	aDh5VKw9aR19VnALXX9QAbFSgMDgaUk=
Received: from SY2PR01CU004.outbound.protection.outlook.com
 (mail-australiaeastazlp17011008.outbound.protection.outlook.com
 [40.93.136.8]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 au-mta-84-xZ1J-IQGP-GNvuNbQ7M47w-1; Fri, 19 Apr 2024 11:53:18 +1000
X-MC-Unique: xZ1J-IQGP-GNvuNbQ7M47w-1
Received: from SY7PR01MB9007.ausprd01.prod.outlook.com (2603:10c6:10:217::14)
 by SY7PR01MB8644.ausprd01.prod.outlook.com (2603:10c6:10:217::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.39; Fri, 19 Apr
 2024 01:53:17 +0000
Received: from SY7PR01MB9007.ausprd01.prod.outlook.com
 ([fe80::48c9:2d5a:34cf:a1cb]) by SY7PR01MB9007.ausprd01.prod.outlook.com
 ([fe80::48c9:2d5a:34cf:a1cb%6]) with mapi id 15.20.7472.042; Fri, 19 Apr 2024
 01:53:17 +0000
From: "Buoro, John" <John.Buoro@au.harveynorman.com>
To: "pgsql-general@postgresql.org" <pgsql-general@postgresql.org>
Subject: SSPI Feature Request
Thread-Topic: SSPI Feature Request
Thread-Index: AdqR+468gF2knXg0Q3+xzSwTKNbICQ==
Date: Fri, 19 Apr 2024 01:53:17 +0000
Message-ID: <SY7PR01MB90072A084A61E7BE708EA3BEC70D2@SY7PR01MB9007.ausprd01.prod.outlook.com>
Accept-Language: en-GB, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SY7PR01MB9007:EE_|SY7PR01MB8644:EE_
x-ms-office365-filtering-correlation-id: 1bbee9ac-d263-4549-7fce-08dc60137b6b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: =?us-ascii?Q?Lz64Q+mXygSiq0zJ+8ZGNxDqbfSqpwK0n4sGZpGZ1rQLHq0+2MARZ5adH4HM?=
 =?us-ascii?Q?vLAsaOqYxK0Zu3zP0+dBshbyjjgw1P0k4e7UYCPA3Gh4OweW5P871+ouJNPC?=
 =?us-ascii?Q?415LGKoAzIcnA3gs6/G2C6g0o73EwpALEtBw3Xfu5mH8mYRKaM9c3Wzamaws?=
 =?us-ascii?Q?AuqRQtI/coA5P9Ag06d/yqmIROcXZUuKYgikGV4j45o4Q6YWpz5i27ML0bmN?=
 =?us-ascii?Q?iMZiKdAdzt0sB9rrZCqq8eNiaPKWfn6SdYjTyLejEYep2Wweb22udTOCt5/R?=
 =?us-ascii?Q?L1ZcIon+pPTGppq0xZwYTf2UaryFU+rfUVkv7vGmALYIiBrny9Wm/9WLHIum?=
 =?us-ascii?Q?DEgNVpE0STsH8lq0dBvZNj9IIQZY7sHrY5tzGx4NKe79LJIDd3moeiaGK8Ha?=
 =?us-ascii?Q?LLLyAunfbwF3ClThPk7Ci2AOyzEbR3Auw9zulwma+LFnJeCzhAyfejU1Ngyw?=
 =?us-ascii?Q?rsj0rXp7i4ulDmt1i8RM6IJ5wT3Xjmm0KUF2My6raA3MIFM5ZTAtvVS8hVsn?=
 =?us-ascii?Q?Yw/ds0U7dZJ93QYvTWOCprX6YbkIXBCgZ7Fu7RE3SSoaB0Lp7tQwXaOYFt4E?=
 =?us-ascii?Q?5T6wphvaO93pXF7CgdSvMiB7BU15Zg9xYja50No10G591jwn0hjRQ2Qig3jT?=
 =?us-ascii?Q?hjqGze9HKe1KPaQwQ9nFkRtChgyItAp1JbmskwSkND32mSTmS9YKx0mHRav1?=
 =?us-ascii?Q?fmaxjBKTX9dFO1JCIJ02iamOAf6xvCmTa4sMh/aKmja0su/fGIZykV3+ZOAG?=
 =?us-ascii?Q?GHsxA3hwjPKpn08MB0zSctvVl7qUDHK+6Lgh+z/aIjLjvJIn4o4yP4/L0gRM?=
 =?us-ascii?Q?vkTpSKS53bp2uioFKVFbrJm9h2jZA0Soxn4gBPl6X3JO1taKqCFXo+kDKmMY?=
 =?us-ascii?Q?1abpUB8QVn8ckkOSPM9F3qcSxhRY5czzfvkg5r7nQcdNLsa+NSZ3ei0wdjsd?=
 =?us-ascii?Q?dNGfvTkTjy1WLrgwgzt61eZgZMC/aSuUcBassqporXzggRGqk1vSMMMb/lEk?=
 =?us-ascii?Q?zTU2h1maRRRQDsfBc0yGJ63ux3LRHo0EnJ1OnJFIGsn90UbIWRW20AUKdu56?=
 =?us-ascii?Q?L2Y4hiAD3Te3e0vSs/eNl21TE7JsuU4bMpLqFWikm1v0FqxEZUOCsXy5yxyS?=
 =?us-ascii?Q?aYf8f0eK859J3KFO+1+PkSfOZSU30F9j747QWEBoFPeaBy47lLg74A08UmNV?=
 =?us-ascii?Q?T2ThUPgI6R2LW4nKpa+5RQJPXTGKMVOpqfIIWrUhHT+68GaFteHT5XZvUZkB?=
 =?us-ascii?Q?E78ySGzNsRZiLjhGKVcUsU7wmrzovm5oGxoPJm42ww=3D=3D?=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SY7PR01MB9007.ausprd01.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(1800799015)(376005)(366007)(38070700009);DIR:OUT;SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?rI6AOPdqnf9VSXyevCv49jUj6VE2JUo2hrOIDPJuMUyYshbSA1G+szNFPaEZ?=
 =?us-ascii?Q?0Y5u5xVZvhXzP6MfL992eZDPD1xTSTiEW3yCLRiQxp7yW/SBlm+lFwRDCPDq?=
 =?us-ascii?Q?09GbNq0iSZik70AXD1pxhEn3hdfqo9TWR6w5vTZfJU35IZ8CNNSp7c9K/OQy?=
 =?us-ascii?Q?j8TFYpljqp0Hd78yU3O2mHBaXRfXCz9eN1VB6/fgBnkOfNvWNcvJZe/iIWtA?=
 =?us-ascii?Q?LHnChU/4EdQbBWp3eEpm7G3bkGNdsDVJPVyOokO8/mqAOiGfey723UywEbml?=
 =?us-ascii?Q?aDAT0G4xf6Pm0+bBeWD5JpqmCzZLMLc9N7AmQUQyWM/bRDCmhSvo0ednAjy+?=
 =?us-ascii?Q?mdrMzp604iJx4b7ZIe/ii9WL5ueTU6DxcI79lsyJ1bfidsRCg73LV6ChJVY1?=
 =?us-ascii?Q?5h40h0wWJ/vnVxgOVcxoQpq+R3XmoUnJqbh0tnLtWO0S1jm0H3/xat6yitJc?=
 =?us-ascii?Q?87fJEc6KkVBagiwcIoR/Z3wJI8Fgjpu7vZbpmiGHGgJhf66aVH6KprZuVCB4?=
 =?us-ascii?Q?cTo2Ani3QlmCfpBfg/yqYpY1YjIcblDigKimCE9UrQnRWylSm3MJ1gh3Eeb7?=
 =?us-ascii?Q?zm+v8wCHnm3uQMaWA0kyZxp8YTveu6l6WXmkngKCmq6sSfG5Gv7AGqvA26vs?=
 =?us-ascii?Q?fMrIzsV8vXAjjepqrvEhsIrMaTfwSNGrilmYyMC4Y8JmJoQE3xMtI83i5mwu?=
 =?us-ascii?Q?f3AP0rnkXbU4eiqcbW8Np68onLJMevxnbtuSEO5nxya3J1deV71CjFps5FmJ?=
 =?us-ascii?Q?HOp/CCvXRZqb+o4LdXZVI7t/gAIE5Mx9frPDkPQZFP/5P9fLuFMUsjLB7Id+?=
 =?us-ascii?Q?W/pA41hUcYZ09S0yKSa+Tf1cYiuNFiswdN0mDJZPnYPyafyXJn7bx1EB/09C?=
 =?us-ascii?Q?ap3kwsO4YBt3BepCtLzI2VSHD5lgjo1BqyjlCfq4SRkCR0OUCbVJWtcQJd2j?=
 =?us-ascii?Q?JXixNwrG8ABHwK9pa2Y61pQJ1aJqWZFcOnYqlFd6GSXPfBVLxz2lvnFUhW5H?=
 =?us-ascii?Q?DX0v/nAb0DEY4REwXkwdJKN46S/NqCc5QOlJbjt/vcfq6+0WT+0PTDa8gHuP?=
 =?us-ascii?Q?DFdqkGaFVNpUSFiagsUAvG2hU+B8MWZOHZ42ZAllwTCG3Wme//Zz2orLoAN1?=
 =?us-ascii?Q?oYgUpc1s8npZo3M3eoRiI7WSveNfHueWrvVgwYbu5pL77aaVIm/5IFBEnm9+?=
 =?us-ascii?Q?0mji3vlabjojeGVYnpTrixjdsB1soRA6oQncHI1I9vDgX/26kIUYXePcYh8y?=
 =?us-ascii?Q?H+adRuKf6IXuNlDDx3HudKClcyVeMo5lCQYDqeqazWIspPJXvSvUw+EKgM5W?=
 =?us-ascii?Q?+QrwNWP0rHUqxqMpzFyDmHnYrTLKYgNJ3C8Kx9fpDEHmJCxr7xhZTNXmMqOM?=
 =?us-ascii?Q?mvB/5LHTAV7kXH+aRUqqBJIpZw0OKAvMer3n2PhJr/hb+A5fmwTCf3W9Gtbg?=
 =?us-ascii?Q?i7XeP7UPTXhQtbRNRp389bwGHX5HX2wQCTSHFKBOk3ujcb/1eEG44oou19bX?=
 =?us-ascii?Q?iyz641+01JwMhJ8qw7j0wTAHCFAFeSK5fvlal1a/LrI2m6RhNYryKdzStlQi?=
 =?us-ascii?Q?1SFemH4JnBUuKSxJ3VefBSxEYT+kEonFpRSrkP961bQ145zSwewTvzvFI8Qz?=
 =?us-ascii?Q?bA=3D=3D?=
MIME-Version: 1.0
X-OriginatorOrg: au.harveynorman.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY7PR01MB9007.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1bbee9ac-d263-4549-7fce-08dc60137b6b
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Apr 2024 01:53:17.0715
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cde2d1c1-033b-4428-84ca-0806065ca032
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qknsThGTSXDl8QSA+oQcLtOldz5cxv8laho6p+83jZDUsf/fu8Y4n5yzZMFvVQnGkF6PKEP3xWpLid4ixpsfL1wwdZoNCcF0rvVcuSZTaGc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY7PR01MB8644
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: au.harveynorman.com
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_SY7PR01MB90072A084A61E7BE708EA3BEC70D2SY7PR01MB9007ausp_"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/SY7PR01MB90072A084A61E7BE708EA3BEC70D2%40SY7PR01MB9007.ausprd01.prod.outlook.com>
Precedence: bulk

--_000_SY7PR01MB90072A084A61E7BE708EA3BEC70D2SY7PR01MB9007ausp_
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

SSPI Kerberos\NTLM authentication (Windows environment) currently only auth=
enticates users, however, it does not authenticate a user against an LDAP \=
 Active Directory group.
This makes administration complex because an administrator would need to ad=
d\remove each user to\from an instance or if a user changes role then their=
 permissions would need to be altered.
If you have many instances and many users then this becomes a long process =
which can be prone to error.

Industry best practices would be to define group(s) and assign permissions =
and roles to these and have SSPI authenticate users against these groups.
The responsibility of granting or altering permissions is at the LDAP \ Act=
ive Directory level which is its prime purpose.
This is something that other RDBMS can do and it would make PostgreSQL a fa=
r more attractive solution from that perspective.

Can you please look at making this possible?

This has been raised before (below) but nothing has been progressed further=
...
https://www.postgresql.org/message-id/20201016160029.GO19056%40tamriel.snow=
man.net

Many thanks.
John.

Disclaimer

The information contained in this communication from the sender is confiden=
tial. It is intended solely for use by the recipient and others authorized =
to receive it. If you are not the recipient, you are hereby notified that a=
ny disclosure, copying, distribution or taking action in relation of the co=
ntents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been auto=
matically archived by Mimecast, a leader in email security and cyber resili=
ence. Mimecast integrates email defenses with brand protection, security aw=
areness training, web security, compliance and other essential capabilities=
. Mimecast helps protect large and small organizations from malicious activ=
ity, human error and technology failure; and to lead the movement toward bu=
ilding a more resilient world. To find out more, visit our website.

--_000_SY7PR01MB90072A084A61E7BE708EA3BEC70D2SY7PR01MB9007ausp_
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<html><head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
=09{font-family:"Cambria Math";
=09panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
=09{font-family:Calibri;
=09panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
=09{margin:0cm;
=09font-size:11.0pt;
=09font-family:"Calibri",sans-serif;
=09mso-ligatures:standardcontextual;
=09mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
=09{mso-style-priority:99;
=09color:#0563C1;
=09text-decoration:underline;}
span.EmailStyle17
=09{mso-style-type:personal-compose;
=09font-family:"Calibri",sans-serif;
=09color:windowtext;}
.MsoChpDefault
=09{mso-style-type:export-only;
=09font-family:"Calibri",sans-serif;
=09mso-fareast-language:EN-US;}
@page WordSection1
=09{size:612.0pt 792.0pt;
=09margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
=09{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
<style type=3D"text/css">.style1 {font-family: "Times New Roman";}</style><=
/head><body lang=3D"EN-AU" link=3D"#0563C1" vlink=3D"#954F72" style=3D"word=
-wrap:break-word">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Hi,<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">SSPI Kerberos\NTLM authentication (Windows environme=
nt) currently only authenticates users, however, it does not authenticate a=
 user against an LDAP \ Active Directory group.<o:p></o:p></p>
<p class=3D"MsoNormal">This makes administration complex because an adminis=
trator would need to add\remove each user to\from an instance or if a user =
changes role then their permissions would need to be altered.<o:p></o:p></p=
>
<p class=3D"MsoNormal">If you have many instances and many users then this =
becomes a long process which can be prone to error.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Industry best practices would be to define group(s) =
and assign permissions and roles to these and have SSPI authenticate users =
against these groups.<o:p></o:p></p>
<p class=3D"MsoNormal">The responsibility of granting or altering permissio=
ns is at the LDAP \ Active Directory level which is its prime purpose.
<o:p></o:p></p>
<p class=3D"MsoNormal">This is something that other RDBMS can do and it wou=
ld make PostgreSQL a far more attractive solution from that perspective.<o:=
p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Can you please look at making this possible?<o:p></o=
:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">This has been raised before (below) but nothing has =
been progressed further...<o:p></o:p></p>
<p class=3D"MsoNormal"><a href=3D"https://www.postgresql.org/message-id/202=
01016160029.GO19056%40tamriel.snowman.net">https://www.postgresql.org/messa=
ge-id/20201016160029.GO19056%40tamriel.snowman.net</a><o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Many thanks.<o:p></o:p></p>
<p class=3D"MsoNormal"><span style=3D"mso-ligatures:none;mso-fareast-langua=
ge:EN-AU">John.<o:p></o:p></span></p>
</div>


<br><br><p style=3D"font-family: Verdana; font-size:10pt; color:#666666;"><=
b>Disclaimer</b></p><p style=3D"font-family: Verdana; font-size:8pt; color:=
#666666;">

***************************************************************************=
<br>=20

PRIVATE &amp; CONFIDENTIAL <br>=20
This email may contain legally privileged, confidential information or copy=
right material of the sender or a third party.=20
This email and any attachments are intended for the addressee(s) only.  If =
you are not the intended recipient, please contact the sender by reply emai=
l and delete this email and any attachments immediately.=20
You must not read, copy, use, distribute or disclose the contents of this e=
mail or any attachments without the consent of the sender or the relevant t=
hird party.=20
The sender does not accept responsibility for any unauthorised use or relia=
nce on the contents of this email including any attachments.
Except as required by law, the sender does not represent or warrant that th=
e integrity of this email has been maintained or that it is free from error=
s, viruses, interceptions or interference.=20
Any views expressed by the sender in this email and any attachments are tho=
se of the individual sender, except where the sender specifically states th=
em to be the views of a relevant third party.

<br> This notice should not be removed from this email.

<br> **********************************************************************=
*****</p></body></html>

--_000_SY7PR01MB90072A084A61E7BE708EA3BEC70D2SY7PR01MB9007ausp_--