Thread: Coordinating database user accounts with active directory
I have a client that wants to use active directory for authentication of connections to a postgres database. They want to be able to monitor what each user is doing so believe that the best solution is to have one database account per user. However, they do not want to have to manage the database accounts. Is there a simple way of coordinating active directory users with database accounts? I am happy to write tools to deal with the database end of things, but have no experience with active directory. Any and all suggestions would be appreciated. __ Marc
On 21/11/2007 19:44, Marc Munro wrote: > Is there a simple way of coordinating active directory users with > database accounts? I am happy to write tools to deal with the database > end of things, but have no experience with active directory. Any and You could use a VBScript script on the domain server to dump a comma-delimited list of users, then use this to generate CREATE USER statements to create the database users. I'm not an expert on AD, but I recently had to write a script to bulk-create user accounts in AD, and I'd be happy to share that with you if it would give you some pointers. Ray. --------------------------------------------------------------- Raymond O'Donnell, Director of Music, Galway Cathedral, Ireland rod@iol.ie ---------------------------------------------------------------
Raymond O'Donnell wrote: > On 21/11/2007 19:44, Marc Munro wrote: >> Is there a simple way of coordinating active directory users with >> database accounts? I am happy to write tools to deal with the >> database end of things, but have no experience with active directory. >> Any and > > You could use a VBScript script on the domain server to dump a > comma-delimited list of users, then use this to generate CREATE USER > statements to create the database users. The tricky bit (I'd guess) is to trigger a script when a new user is created on the Windows side of things. There seem to be people authenticating via Windows otherwise. I don't know of a hook on Windows that fires on the user-creation event. Would a cron-job + samba tools do, or does it need to be up + running the same instant as the Windows-user? -- Richard Huxton Archonet Ltd
On 21/11/2007 22:32, Richard Huxton wrote: > The tricky bit (I'd guess) is to trigger a script when a new user is > created on the Windows side of things. There seem to be people Yeah... I was thinking in terms of doing it just once, which is what I do - it's for an educational institution, meaning it has to be done just once a year, so I do it by hand when all the students are registered. > I don't know of a hook on Windows that fires on the user-creation event. > Would a cron-job + samba tools do, or does it need to be up + running > the same instant as the Windows-user? I don't either. Maybe a cron job that checks for new AD users via LDAP and creates the database user when one is found? I don't know whether you can tell when a user is created from LDAP....if you can, then new users are those created since the last time you checked; and if not, then you have to store all the users created thus far so as to tell who's new, so it gets a little messy. Just thinking out loud.... Ray. --------------------------------------------------------------- Raymond O'Donnell, Director of Music, Galway Cathedral, Ireland rod@iol.ie ---------------------------------------------------------------