SS0

[Bastiaan Olij]

Hi Rob,

No, if you set the HBA file to trust that means anyone can get in
without a valid password as long as the user exists.

Postgres does have support for Kerbose thought it is a pain to setup and
I think they're replaced the implementation with GSSAPI both of which
would give you SSO capabilities however there are two buts on this
compared to the MS SQL approach
1) you must send through the correct user name, on windows you can grab
this from the environment settings just fine so you don't need to ask
the user. The postgres client library is smart enough to sent through
the rest of the info needed.
2) you must create a role, you can use the mapping functionality to map
all user names to a single database role to make life easier but that
would give everyone on the domain access to your database and you can't
see the difference between users which may be a problem if you use the
postgres security model to deny access to certain tables to certain users

That all said, kerbose is a PAIN to setup properly and I have not found
good enough info on the web (yet) to make it work.

Cheers,

Bas

On 16/04/13 10:01 AM, Robert Mostyn wrote:
> I think Postgres has an option for login based on network name.  If you label it as "trust" in hba conf file, my guess it lets the user through without password.
> Not ried this - just theory.
>
> Rob