|No such thing as a small change|
Re^2: Hide DBI password in scriptsby afoken (Chancellor)
|on Jan 14, 2018 at 17:21 UTC||Need Help??|
Well, let's see what we can make of this bold statement:
PostgreSQL can in fact authenticate against an LDAP server. This is documented in https://www.postgresql.org/docs/9.6/static/auth-methods.html (Note: Intentionally linking to 9.6, not current). But let's have a look at the documented details (emphasis mine):
Or, summarized: PostgreSQL's LDAP authentication uses username and password passed to DBI->connect(). You have to provide username and password, no matter how you configure LDAP authentication.
This is how LDAP works, nicely summarized, and independent from the relational database engine used by DBI. In other words: LDAP can not help here. You have to provide a secret password to use LDAP.
Now, Kerberos. Quoting the same page:
So, yes, Kerberos can be used to avoid a password if the database supports it.
But: Does your database support it?
MySQL: LDAP, PAM, but no Kerberos. Windows authentication requires plugins on client and server, and won't help with non-Windows system. (And please don't make me think about clever ideas like "client-side cleartext authentication".) So, Kerberos won't help you with MySQL. FAIL.
MS SQL Server: Either pure Windows authentication, or Windows authentication alternatively to username/password stored in SQL server. Not even LDAP, and no trace of Kerberos. So: FAIL.
Oracle: LDAP, Kerberos, and many other. I did not expect less. PASS.
PostgreSQL: see above. PASS.
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)