Is there any advantage in using Active Directory (LDAP) for authenication and authorization over using a regular database such as postgres to store users informations ?
I’m working with a cybersec guy who stated that implementing authentication using backend server and a database is something 20 years ago practice. He wants the user authentication and authorization to totally rely on LDAP.
3
Answers
PostgreSQL does support LDAP, but it is an inferior method. It also supports SSPI and GSSAPI (kerberos), and you would want to use one of them to authenticate against Active Directory.
LDAP databases (including Active Directory) are designed specifically for user authentication and security, and offer a lot of solutions for managing identity data at scale. They typically offer many utilities for managing users, such as password policy configuration. For example, you could create a policy that ensures a certain subset of users must use at least 12 characters for their passwords. LDAP databases can also give control over specific types of hashing algorithms to use when storing passwords in the database (e.g., PBKDF2, Argon2, SSHA-512), and will often support popular schemes natively.
You may find that PostgreSQL is sufficient for your needs, but if you expect to build a database that will be used for important workflows, it would a good idea to make sure that it will meet your needs for the near future (e.g., availability, speed, security). Having to move data from one database type to another can be challenging.
The following page has some additional info on LDAP servers that may be helpful.
https://ldap.com/why-choose-ldap/
I think you are not talking about authenticating to PostgreSQL, but about managing application users, right?
If the application users are not part of your organization, but for example customers, they won’t be part of your company’s identity management system (Microsoft Active Directory in your case), so you will manage them in a database table.
If, on the other hand, the application users are the members of your organization who are registered in the identity management system, it makes a lot of sense to use that identity management system as the repository for your application users. The advantages are:
If users are added or removed in the central identity management system, they are automatically added or removed as application users, and there is no danger that a user that was removed can still access the application.
If you delegate authentication to the identity management system, you don’t have to implement your own authentication system. Then nobody can ever lose their application password, and you can implement convenient solutions like single sign-on.