Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sLlCd-00GPzD-5A for pgsql-general@arkaria.postgresql.org; Mon, 24 Jun 2024 15:01:55 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sLlCb-00A2a6-He for pgsql-general@arkaria.postgresql.org; Mon, 24 Jun 2024 15:01:53 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sLlCb-00A2Zx-6p for pgsql-general@lists.postgresql.org; Mon, 24 Jun 2024 15:01:53 +0000 Received: from smtp.burggraben.net ([88.198.69.140]) by makus.postgresql.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sLlCY-002u4x-G7 for pgsql-general@lists.postgresql.org; Mon, 24 Jun 2024 15:01:52 +0000 Received: from sciurus.exwg.net (unknown [IPv6:2001:470:7120:1:826d:97ff:fe4b:c7af]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "sciurus.exwg.net", Issuer "R3" (verified OK)) by smtp.burggraben.net (Postfix) with ESMTPS id 2FE76C01100; Mon, 24 Jun 2024 17:01:48 +0200 (CEST) Received: by sciurus.exwg.net (Postfix, from userid 1000) id B1E06434A782; Mon, 24 Jun 2024 17:01:47 +0200 (CEST) Date: Mon, 24 Jun 2024 17:01:47 +0200 From: Christoph Moench-Tegeder To: Martin Goodson Cc: Tom Lane , pgsql-general@lists.postgresql.org Subject: Re: Password complexity/history - credcheck? Message-ID: References: <79692c1a-190c-413e-9442-a14a45c1069d@googlemail.com> <834558.1719102188@sss.pgh.pa.us> <43826fbd-2d26-467b-afcf-7fde609f8da3@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/2.2.12 (2023-09-09) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk ## Martin Goodson (kaemaril@googlemail.com): > Crikey, that would be  quite a lot of  lot of SSL/TLS to set up. We > have quite a few (massive understatement :( ... ) PostgreSQL database > clusters spread over quite a lot (another understatement) of VMs. No matter what: you'll have to touch all your instances anyways. The good thing is that all the options (including TLS) can be automatically deployed iff you're set up for that - and you should be, especially when you have "many" databases. > The last time I suggested LDAP there was a lot of enthusiasm ... until > they went down and looked at what might have to be done, after which > it all became very quiet ... With "many" databases and personal accounts, you should have some sort of central management (else even an inventory of the accounts ("who can access what") is a nightmare). Finding the best ways towards that goal for your organization could be beyond the scope of an email list - but I'd start with looking at what you already have. I mentioned LDAP because all too often that's the system which you can most easily get access to (but depending on your environment, that might mot be the best solution). Regards, Christoph -- Spare Space.