On 2025-06-25 14:42:26 +0200, raphi wrote: > > > Am 25.06.2025 um 13:55 schrieb Peter J. Holzer: > > On 2025-06-23 16:35:35 +0200, raphi wrote: > > > To be fair, setting up LDAP is very easy in PG, just one line in hba.conf > > > and all is done. But sadly, that's only where the problems begin. The > > > difficult part is to embedd this setup into a company, especially a large > > > one as I work for with over 1000 PG databases and at least that many > > > roles. > > > Someone needs to be able to manage the passwords in LDAP and this means > > > someone has to decide who can change which passwords, which is usually > > > where > > > some sort of Identity and Access Management (IAM) comes into place. > > > > > > We already have LDAP and IAM in place in our organization for many other > > > things, but IAM identities are coupled to a real person, not a team. Which > > > means only one person in the team would be able to set a new password and > > > when that person leaves the team, IAM rights need to be revoked and given > > > to > > > a new person. Doable, but quite a pane in the behind, especially when that > > > one person happens to be on holidays. > > I don't see why that should be the case. You could either grant > > privileges to more than one person or - preferrably - to a role which is > > then granted to the personal roles. > > > > So for example you would authenticate as «raphi» and I as «hjp» but we > > could both change to «foo_admin» or whatever. That would even have the > > advantage that we leave an audit trail with our "real" identities. > > > That's not how the identiy principle works, at least not how it's implement > in our company. A user in ldap has a direct relation to one digital entity, > either a token from an application or certificate from a physical person > (maybe some AD shenanigans also). We don't have digital entities for teams, > that's what's missing. For it to work they (security) would need to allow to > weaken this principle and as you said, allow everyone who has a certain role > to manage the associated user in LDAP, like setting a new password.
That user shouldn't have a password, since nobody is authenticating as
that user. It also doesn't have to exist in LDAP. It's just a role in
the database.
> But "our" problem aside, I still don't quite understand the decision that
> this was never implemented. If password authentication is so bad, why allow
> it all then?
Legacy (posgresql is old). And also hard to avoid if you want to be
usable on a wide variety of platforms and in a wide variety of
situations.
> And when it's allowed, why not provide some basic features to
> make it more secure?
But do they? "Complexity" (scare quotes intentional) rules are easy to
circumvent and when people don't see the need for strong passwords, they
will do so. If they do see the need they will use strong passwords on
their own and the rules are somewhere between unnecessary and
counter-productive. Most guidelines also have stopped recommending
mandatory password rotations quite some time ago.
These features provide convenient boxes for auditors to tick off and
security for management who can claim that they did something.
Operational security? Not so much.
(just my personal opinion as someone who's been a sysadmin for over 20
years (although not recently))
> The lack of any password rules is in it self the reason
> why it is so dangerous to use passwords in PG. I'd argue that the use of
> passwords with complexity requirements and TTL settings over an encrypted
> connection, with firewall rules and proper hba.conf access lists, are quite
> safe.
I agree with you that they can be quite safe. I would claim that
complexity requirements and TTL settings play only a miniscule role in
that.
> Maybe even safer than a central solution like LDAP or Kerberos which
> is a single point of entry for an attacker, be it by attacking the software
> itself or the backup of the data, potentially getting access to everything
> instead of "just" one hacked password.
Agree. In fact, all our databases are intentionally not linked to AD.
hjp
--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | h...@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"
signature.asc
Description: PGP signature
