From: | xenophon(at)irtnog(dot)org |
---|---|
To: | pgsql-bugs(at)postgresql(dot)org |
Subject: | BUG #14040: Cannot authenticate against Active Directory in search+bind mode using domain root naming context |
Date: | 2016-03-22 18:28:31 |
Message-ID: | 20160322182831.2911.62573@wrigleys.postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 14040
Logged by: Matthew X. Economou
Email address: xenophon(at)irtnog(dot)org
PostgreSQL version: 9.2.15
Operating system: CentOS 7
Description:
When authenticating PostgreSQL login roles against an Active Directory
domain in search+bind mode using the domain root naming context (NC) as the
search base, e.g., with an entry similar to the following in pg_hba.conf -
`host all all 0.0.0.0/0 ldap ldapserver=example.com
ldapbasedn="dc=example,dc=com" ldapbinddn=pgsql(at)EXAMPLE(dot)COM
ldapbindpasswd=12345skrooB ldapsearchattribute=sAMAccountName ldaptls=1`,
PostgreSQL will fail to authenticate the user even though the user provided
the correct credentials.
1 - PostgreSQL's LDAP client will connect to a domain controller, bind using
the provided ldapbinddn/ldapbindpasswd, and perform a subtree search from
the domain root NC. The domain controller will return the correct user
object plus referrals to the other Active Directory NCs, e.g.,
`cn=Configuration,dc=example,dc=com`, `cn=DomainDnsZones,dc=example,dc=com`,
and `cn=ForestDnsZones,dc=example,dc=com`.
2 - The LDAP client will chase the referrals automatically, but it binds to
each NC anonymously, after which it performs the same subtree search. These
searches fail because Active Directory does not permit anonymous directory
searches by default.
3 - The LDAP client does not attempt to re-bind using the original search
results plus the user's password. It seems that the search failures in step
2 trump the successful search results in step 1.
As a workaround one may specify a non-root search base, e.g.,
`ldapbasedn="ou=MyBusiness,dc=example,dc=com"`, which being more specific
causes the domain controller to not include referrals to other NCs.
Another workaround would be to disable referral chasing. However, it does
not appear possible to disable LDAP referrals via postgresql.conf. This
should be possible in the LDAP client library via ldap_set_option, i.e., by
setting `LDAP_OPT_REFERRALS` to `LDAP_OPT_OFF`.
The expected behavior is that PostgreSQL would perform all searches using
the provided credentials and that it would not ignore successful search
results.
From | Date | Subject | |
---|---|---|---|
Next Message | David G. Johnston | 2016-03-22 20:15:53 | Re: problem in sql - sum() |
Previous Message | ivan | 2016-03-22 14:42:09 | problem in sql - sum() |