LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

LDAP users?

LDAP users?

Posted May 9, 2012 4:38 UTC (Wed) by ringerc (subscriber, #3071)
In reply to: Accounting systems: a rant and a quest by dskoll
Parent article: Accounting systems: a rant and a quest

PostgreSQL supports getting its user information from an LDAP service, or having the users entirely internal to the DB with no relationship to system users.

If the app provides a basic tool to create/drop/alter Pg users, this should be no hassle at all to manage and no different to using users defined in application tables. I'm guessing they haven't.

(Log in to post comments)

LDAP users?

Posted May 9, 2012 13:11 UTC (Wed) by dskoll (subscriber, #1630) [Link]

Yes, I know that. But just because I want to let people log in to an accounting application, that doesn't mean I trust those same people with the psql command-line. Conflating database users with application users is not a good idea, IMO.

LDAP users?

Posted May 10, 2012 2:29 UTC (Thu) by ringerc (subscriber, #3071) [Link]

Good point. I was assuming they'd moved to a design where all rights and permissions checking was done in the DB, such that a command-line user couldn't do anything more than a GUI user can. That's often done with appropriate trigger functions or where they aren't flexible enough the use of SECURITY DEFINER stored procs + access restricted tables.

If they're using DB-level users but not doing strict access control and checking in the DB, so a user can still wreak havoc with DB command-line access, that's not cool.

LDAP users?

Posted May 10, 2012 16:02 UTC (Thu) by dskoll (subscriber, #1630) [Link]

Hmm, I don't really know... I haven't been able to upgrade to 1.3. :(

Even if permission-checking is good, you can still do a lot more damage a lot more quickly with psql than the web interface. For example, you might be able to do a mass update in psql in the blink of an eye where the Web interface will slow you down before you can do too much damage. :)

LedgerSMB... GAAAAAHHH!!!

Posted May 10, 2012 21:03 UTC (Thu) by dskoll (subscriber, #1630) [Link]

So I took another crack at upgrading from LedgerSMB 1.2.x to 1.3.16.

Total, utter failure.

The "setup.pl" script keeps asking for a login/password and rejecting whatever I give. Tracing through a hundred twisty perl scripts, all alike, I got nowhere.

I give up. At this point, we're frozen in amber at 1.2.21. My choices now are to do a clean installation of 1.3.16 at the end of the fiscal year and start fresh, pay someone (anyone out there?) to upgrade us, or switch away from LedgerSMB.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds