BUG #14040: Cannot authenticate against Active Directory in search+bind mode using domain root naming context

From: xenophon(at)irtnog(dot)org
To: pgsql-bugs(at)postgresql(dot)org
Subject: BUG #14040: Cannot authenticate against Active Directory in search+bind mode using domain root naming context
Date: 2016-03-22 18:28:31
Message-ID: 20160322182831.2911.62573@wrigleys.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

The following bug has been logged on the website:

Bug reference: 14040
Logged by: Matthew X. Economou
Email address: xenophon(at)irtnog(dot)org
PostgreSQL version: 9.2.15
Operating system: CentOS 7
Description:

When authenticating PostgreSQL login roles against an Active Directory
domain in search+bind mode using the domain root naming context (NC) as the
search base, e.g., with an entry similar to the following in pg_hba.conf -
`host all all 0.0.0.0/0 ldap ldapserver=example.com
ldapbasedn="dc=example,dc=com" ldapbinddn=pgsql(at)EXAMPLE(dot)COM
ldapbindpasswd=12345skrooB ldapsearchattribute=sAMAccountName ldaptls=1`,
PostgreSQL will fail to authenticate the user even though the user provided
the correct credentials.

1 - PostgreSQL's LDAP client will connect to a domain controller, bind using
the provided ldapbinddn/ldapbindpasswd, and perform a subtree search from
the domain root NC. The domain controller will return the correct user
object plus referrals to the other Active Directory NCs, e.g.,
`cn=Configuration,dc=example,dc=com`, `cn=DomainDnsZones,dc=example,dc=com`,
and `cn=ForestDnsZones,dc=example,dc=com`.

2 - The LDAP client will chase the referrals automatically, but it binds to
each NC anonymously, after which it performs the same subtree search. These
searches fail because Active Directory does not permit anonymous directory
searches by default.

3 - The LDAP client does not attempt to re-bind using the original search
results plus the user's password. It seems that the search failures in step
2 trump the successful search results in step 1.

As a workaround one may specify a non-root search base, e.g.,
`ldapbasedn="ou=MyBusiness,dc=example,dc=com"`, which being more specific
causes the domain controller to not include referrals to other NCs.

Another workaround would be to disable referral chasing. However, it does
not appear possible to disable LDAP referrals via postgresql.conf. This
should be possible in the LDAP client library via ldap_set_option, i.e., by
setting `LDAP_OPT_REFERRALS` to `LDAP_OPT_OFF`.

The expected behavior is that PostgreSQL would perform all searches using
the provided credentials and that it would not ignore successful search
results.

Browse pgsql-bugs by date

  From Date Subject
Next Message David G. Johnston 2016-03-22 20:15:53 Re: problem in sql - sum()
Previous Message ivan 2016-03-22 14:42:09 problem in sql - sum()