Re: Password complexity/history - credcheck?

Martin Goodson <kaemaril@googlemail.com>

From: Martin Goodson <kaemaril@googlemail.com>
To: Christoph Moench-Tegeder <cmt@burggraben.net>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-general@lists.postgresql.org
Date: 2024-06-23T13:14:43Z
Lists: pgsql-general
On 23/06/2024 11:49, Christoph Moench-Tegeder wrote:

> My advice would be to not use secrets stored in the database -
> that is, do not use scram-sha-256 - but use an external authentication
> system, like Kerberos (might be AD) or LDAP (might also be AD) and have
> that managed by the security team: that way all these compliance

Crikey, that would be  quite a lot of  lot of SSL/TLS to set up. We have 
quite a few (massive understatement :( ... ) PostgreSQL database 
clusters spread over quite a lot (another understatement) of VMs.

The last time I suggested LDAP there was a lot of enthusiasm ... until 
they went down and looked at what might have to be done, after which it 
all became very quiet ...

Regards,

Martin.