Am 14.11.23 um 13:56 schrieb Bernd Lentes:
Hi,
the last time i wrote a SQL command is about 20 years ago.
So I'm asking for your advice.
I have a DB which is accessed by ~ 40 users.
The users are in pg_user and authenticated with LDAP.
There have been several warnings on this list about using LDAP for authentication.
I quote one of them:
PostgreSQL supports GSSAPI / Kerberos, which is a much better approach in Active Directory and other environments where Kerberos is deployed.
Using LDAP exposes the user's password to the database server and therefore isn't secure and should be strongly discouraged.
You can certainly have applications authenticate to PostgreSQL using Kerberos too with very little overhead (unlike PG's LDAP authentication option, which makes a synchronous call out to the LDAP server on each and every login).
If you insist on using LDAP, you might use the regexp feature to extract the username from the complete mail address. Only if the same user name with different server parts (after the @) exist, you'll have to change your user names.
Quoted user names are very much unloved.
Regards,
Holgr
--
Holger Jakobs, PostgreSQL Expert and Trainer, Bergisch Gladbach, Tel. +49-178-9759012