PostGres Config to Authenticate against AD over LDAP

From: Richard Esmonde <richard(dot)esmonde(at)archimedesmodel(dot)com>
To: "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org>
Subject: PostGres Config to Authenticate against AD over LDAP
Date: 2009-08-05 16:22:26
Message-ID: 2FA22EC12FF0E74690165D778E5C0C550130E98DF8B0@EX-001.mail.navisite.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hi,

I'm new to PostGres (so go easy on my naivety). I am trying to configure
the postgres host based configuration file to permit users to authenticate
against our Active Directory.

Needless to say both Ubuntu server and AD are in the same Domain.

. I am running PostGRESQL v8.3.7 on a 64-Bit Ubuntu Hardy Heron Dell
server with Apache 2.

. I am not running SSL.

. This work is happening on a LAN. My AD server=master1 and the
LAN=belfry.lan

. I installed Postgres as follow:

o # sudo apt-get install postgresql-8.3 postgresql-client-8.3
postgresql-client-common postgresql-common

It runs just fine and I can create databases users and tables with no
problems.

Currently, the end of my pg_hba.conf file looks like:

============================================

# IPv4 local connections:

host all all 127.0.0.1/32 md5

host all all 10.5.5.0 255.255.255.0 password

# IPv6 local connections:

host all all ::1/128 md5

# Remote TCP/IP connection

#host all postgres 127.0.0.1/32 password

# host all all 10.5.5.0/16 ldap
"ldap://master1:389/dc=belfry,dc=lan;BELFRY\"

# host all all 10.5.5.0 255.255.255.0 ldap
"ldap://master1:389/dc=belfry,dc=lan;BELFRY\"

host all all 10.5.5.0 255.255.255.0 ldap "ldap://master1.
belfry.lan:389/ou=Belfry Users,ou=programmers;dc=belfry,dc=lan;cn=*;BELFRY\"

=============================================

Each time I change it I stop and start PostGres.

I created a testuser and a test database. The user, testuser exists in my
Active directory with a different password. I can connect as testuser to
the DB via command line or via pgAdmin111 with the postgres password for
testuser. When I try to connect using the users LDAP password I always get:

. psql: FATAL: password authentication failed for user testuser

Three days into this I am none the wiser - I'm exhausting Google servers.
Can anyone tell me what I have forgotten to do or have overlooked in getting
this setup correctly? To my mind it's behaving as though it's not honoring
anything I have put in the pg_hba.conf for Remote TCP/IP connections. I
have to be missing something super simple... a postgres-ldap add-on for
Postgres on Ubuntu perhaps?

I set connections to debug2 in the logs. Debug5 was giving me hundreds of
lines of "blah". Tail of logs now looks like:

=============================================

2009-08-04 16:49:15 PDT DEBUG: proc_exit(0)

2009-08-04 16:49:15 PDT DEBUG: shmem_exit(0)

2009-08-04 16:49:15 PDT DEBUG: exit(0)

2009-08-04 16:49:15 PDT DEBUG: server process (PID 8637) exited with exit
code 0

2009-08-04 16:49:24 PDT LOG: incomplete startup packet

2009-08-04 16:49:24 PDT DEBUG: proc_exit(0)

2009-08-04 16:49:24 PDT DEBUG: shmem_exit(0)

2009-08-04 16:49:24 PDT DEBUG: exit(0)

2009-08-04 16:49:24 PDT DEBUG: forked new backend, pid=8646 socket=9

2009-08-04 16:49:24 PDT DEBUG: server process (PID 8646) exited with exit
code 0

2009-08-04 16:49:24 PDT DEBUG: postmaster received signal 2

2009-08-04 16:49:24 PDT LOG: received fast shutdown request

2009-08-04 16:49:24 PDT LOG: aborting any active transactions

2009-08-04 16:49:24 PDT LOG: autovacuum launcher shutting down

2009-08-04 16:49:24 PDT DEBUG: proc_exit(0)

2009-08-04 16:49:24 PDT DEBUG: shmem_exit(0)

2009-08-04 16:49:24 PDT DEBUG: exit(0)

2009-08-04 16:49:24 PDT DEBUG: proc_exit(0)

2009-08-04 16:49:24 PDT DEBUG: shmem_exit(0)

2009-08-04 16:49:24 PDT DEBUG: exit(0)

2009-08-04 16:49:24 PDT LOG: shutting down

2009-08-04 16:49:24 PDT LOG: database system is shut down

2009-08-04 16:49:24 PDT DEBUG: proc_exit(0)

2009-08-04 16:49:24 PDT DEBUG: shmem_exit(0)

2009-08-04 16:49:24 PDT DEBUG: exit(0)

2009-08-04 16:49:24 PDT DEBUG: proc_exit(0)

2009-08-04 16:49:24 PDT DEBUG: shmem_exit(0)

2009-08-04 16:49:24 PDT DEBUG: exit(0)

2009-08-04 23:53:23 GMT DEBUG: postgres: PostmasterMain: initial environ
dump:

2009-08-04 23:53:23 GMT DEBUG: -----------------------------------------

2009-08-04 23:53:23 GMT DEBUG: LC_CTYPE=en_US.UTF-8

2009-08-04 23:53:23 GMT DEBUG: PGSYSCONFDIR=/etc/postgresql-common

2009-08-04 23:53:23 GMT DEBUG: PGLOCALEDIR=/usr/share/locale

2009-08-04 23:53:23 GMT DEBUG: PWD=/var/lib/postgresql

2009-08-04 23:53:23 GMT DEBUG: PGDATA=/var/lib/postgresql/8.3/main

2009-08-04 23:53:23 GMT DEBUG: LC_COLLATE=C

2009-08-04 23:53:23 GMT DEBUG: LC_MESSAGES=en_US.UTF-8

2009-08-04 23:53:23 GMT DEBUG: LC_MONETARY=C

2009-08-04 23:53:23 GMT DEBUG: LC_NUMERIC=C

2009-08-04 23:53:23 GMT DEBUG: LC_TIME=C

2009-08-04 23:53:23 GMT DEBUG: -----------------------------------------

2009-08-04 16:53:23 PDT LOG: could not load root certificate file
"root.crt": no SSL error reported

2009-08-04 16:53:23 PDT DETAIL: Will not verify client certificates.

2009-08-04 16:53:23 PDT DEBUG: invoking IpcMemoryCreate(size=30384128)

2009-08-04 16:53:23 PDT DEBUG: max_safe_fds = 981, usable_fds = 1000,
already_open = 9

2009-08-04 17:01:09 PDT LOG: could not load root certificate file
"root.crt": no SSL error reported

2009-08-04 17:01:09 PDT DETAIL: Will not verify client certificates.

2009-08-04 17:01:09 PDT DEBUG: max_safe_fds = 981, usable_fds = 1000,
already_open = 9

=============================================

Thanks in advance to any and all who have a clue more than I,

Rich

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Michael Gould 2009-08-05 16:47:16 LDAP using Active Directory
Previous Message Vick Khera 2009-08-05 16:13:39 Re: Partition tables