| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | João Gaspar <joao(dot)f(dot)r(dot)gaspar(at)gmail(dot)com>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: [LDAPS] Test connection user with ldaps server |
| Date: | 2021-02-15 15:31:56 |
| Message-ID: | 30cb04ee32d1690a2d1b2a3efd1a53d5112d2d7c.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sat, 2021-02-13 at 10:36 +0000, João Gaspar wrote:
> I have a PostgreSQL 13.1 (RHEL 8.3) Server and I want to configure the pg_hba.conf with a remote ldaps server.
>
> My steps:
>
> I create a PostgreSQL user1 with superuser role to test the ldaps authentication method in the terminal client.
>
> Modify the pg_hba.conf to:
>
> host all all 0.0.0.0/0 ldap ldapurl="ldaps://serverurl:636/DC=company,DC=example,DC=com?sAMAccountName?sub" ldapbinddn="user-to-do-autentication-ldap-
> connection" ldapbindpasswd=" user-ldap-connection password-autentication"
>
> Save and restart the PostgreSQL service.
>
> Try to connect with the terminal client with psql -h postgresqlremoteserverhost -U user1 and after putting the password give the following error:
> psql: FATAL: LDAP authentication failed for user "user1"
>
> I validate the ldap user1 with ldapsearch (in the RHEL host) and the user1 appears in the ldapsearch correctly using the same ldapurl, ldapbinddn and ldapbinpasswd.
>
> Checking the remote postgresql logs, the connection to the remote ldaps do the correct authentication but can´t search by the attribute sAMAccountName. Here is the PostgreSQL log:
> could not search LDAP for filter "(sAMAccountName=user1)" on server "serverurl": Operations error 2021-02-13 10:02:54.679 WET [1127801] DETAIL: LDAP diagnostics: 000004DC: LdapErr: DSID-0C0907E9,
> comment: To perform this operation a successful bind must be completed on the connection., data 0, v2580
>
> Info: The user1 was created as well in the ldaps server with sAMAccountName user1.
>
> It seems that the problem is in the pg_hba.conf how to tell the search, can anyone have similar problem ou resolution?
That error looks strange to me, but I am not an LDAP expert.
Your configuration seems fine to me, and if it gets to search, it must have bound to
"DC=company,DC=example,DC=com?sAMAccountName" as the "ldapbinddn" first.
What I would do is experiment with the "ldapsearch" executable from OpenLDAP and see
if you can reproduce the problem from the command line.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Laurenz Albe | 2021-02-15 15:47:39 | Re: MultiXactMemberControlLock contention on a replica |
| Previous Message | Laurenz Albe | 2021-02-15 15:23:41 | Re: certs in connection string |