On Mon, 2021-02-01 at 17:01 -0500, Stephen Frost wrote: > * Jacob Champion (pchamp...@vmware.com) wrote: > > And I'm not holding > > my breath for LDAP servers to start implementing federated identity, > > though that would be nice. > > Not sure exactly what you're referring to here but AD already provides > Kerberos with cross-domain trusts (aka forests). The future is here..? > :)
If the end user is actually using LDAP-on-top-of-AD, and comfortable administering the Kerberos-related pieces of AD so that their *nix servers and users can speak it instead, then sure. But I continue to hear about customers who don't fit into that mold. :D Enough that I have to keep an eye on the "pure" LDAP side of things, at least. > > To double-check -- since giving this ability to the pg_read_all_stats > > role would expand its scope -- could that be dangerous for anyone? > > I don't agree that this really expands its scope- in fact, you'll see > that the GSSAPI and SSL user authentication information is already > allowed under HAS_PGSTAT_PERMISSIONS(). Ah, so they are. :) I think that's the way to go, then. --Jacob
