CrunchyData / postgres-operator

Production PostgreSQL for Kubernetes, from high availability Postgres clusters to full-scale database-as-a-service.
https://access.crunchydata.com/documentation/postgres-operator/v5/
Apache License 2.0
3.93k stars 592 forks source link

Question: LDAP integration users permission #3207

Open todeb opened 2 years ago

todeb commented 2 years ago

After setup ldap auth on pgAdmin 4, when log in as ldap user I do not see any database servers. With pgadmin@pgo I see it.

Is it expected? How to assign permission for ldap user to database server / cluster?

tjmoore4 commented 2 years ago

@todeb that is the expected behavior. At this time, DB connection information is only auto-populated when using usernames & passwords with pgAdmin4, not when using using the LDAP integration. Any needed permissions will have to be configured manually.

todeb commented 2 years ago

Do you mean that logins, users and privileges should be added manually by queries? If the logins and passwords are not populated to DB, then what is the purpose of that LDAP integration?

andrewlecuyer commented 2 years ago

@todeb the purpose of the LDAP integration is to allow you to authenticate into pgAdmin 4 using your own LDAP server, as described in the LDAP Authentication page of the pgAdmin 4 docs.

And once your users have authenticated into pgAdmin using the credentials they provide to authenticate into your LDAP server, they will then simply need to manually configure any required connections to the PostgreSQL database.

todeb commented 2 years ago

Is it possible match manually created or auto-populated logins in DB with the LDAP users, so they can authenticate with their LDAP passwords?

andrewlecuyer commented 2 years ago

@todeb yes - the purpose of the LDAP integration is to allow users to authenticate into pgAdmin 4 using their LDAP credentials.

andrewlecuyer commented 2 years ago

As previously mentioned, the purpose of the purpose of the LDAP integration is to allow users to authenticate into pgAdmin 4 using their LDAP credentials.

However, to clarify - PGO will not currently create DB users based on users in LDAP, nor will PGO currently create users in LDAP based on the users you define in your PostgresCluster spec.

todeb commented 2 years ago

I mean login to DB not pgadmin4. If i have a user from LDAP: user1 / pass1, who authenticates through pgadmin4. I'm creating login in DB: user1 with random password. I expect that the password will sync with the LDAP password. So i won't need to provide additional pwd to user. So he will auth to both pgadmin4 and db with same cred eg user1 / pass1

andrewlecuyer commented 2 years ago

Currently the LDAP integration enables authentication into pgAdmin via LDAP only. This means when using LDAP in the example you provided, the DB connection as user1 within pgAdmin will need to be manually configured.

In the future we look to expand this integration to greater facilitate database connection for LDAP users, but for now that capability is only available when using "internal" authentication with pgAdmin.

andrewlecuyer commented 2 years ago

Also, please note that you can configure PostgreSQL to authenticate via LDAP as well (configured separately from LDAP for pgAdmin 4).

This would allow you to authenticate into both PostgreSQL and pgAdmin using the same credentials.