From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
---|---|
To: | Viktor Berke <bviktor(at)outlook(dot)com>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: User Name Maps seem broken in 11.1 on CentOS 7 |
Date: | 2019-01-29 21:37:06 |
Message-ID: | 37efc320-af22-aa11-c68d-ecada155500d@aklaver.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 1/29/19 1:11 PM, Viktor Berke wrote:
> Hi,
>
> After some talk with the helpful folks of #postgresql I see no other
> option but to ask here. I'm trying to set up proper authentication for
> our corprorate users. They'll access postgres both from their
> workstations via TCP, and also locally. Locally, they're authenticated
> using SSSD which in turn is using LDAP to talk to our Active Directory
> DCs. That's not very relevant, but I just wanted to explain precisely.
>
> Anyhow, we try to enforce the "user(dot)name(at)company(dot)com" login wherever we
> can, so this is how I set up LDAP auth:
>
> hostssl all all 10.1.0.1/16 ldap ldapserver=dc2.ad.foobar.com
> ldapport=636 ldapscheme=ldaps ldaptls=0
> ldapbinddn="CN=ldap,OU=Helpers,OU=Foobar,DC=ad,DC=foobar,DC=com"
> ldapbindpasswd=*** ldapsearchattribute=mail
> ldapbasedn="OU=Users,OU=Foobar,DC=ad,DC=foobar,DC=com"
>
> This works perfectly fine. I create the role, e.g.:
>
> CREATE ROLE "jane(dot)doe(at)foobar(dot)com" CREATEDB CREATEROLE LOGIN;
>
> Then she can log in fine via pgAdmin or whatever, using her email address.
>
> Now I want to set up peer authentication locally, so that they don't
> have to enter their passwords all the time when they're already
> authenticated to the OS. The idea is that I map the local "jane.doe" OS
> user to the "jane(dot)doe(at)foobar(dot)com" role already present in postgres. This
> way I don't have to CREATE ROLE and manage permissions both for jane.doe
> and jane(dot)doe(at)foobar(dot)com(dot) So the map would look something like this, I guess:
>
> foo /^(.*)$ \1(at)foobar\(dot)com (or something like that?)
>
> And here comes the problem: user name maps seem completely
> non-functional. First I suspected it's a problem with the dot in
> usernames, but even if I create a local Unix user ("foobar") and set
>
> local all all peer map=foo
>
> in pg_hba.conf and
>
> foo foobar postgres
>
> In pg_ident.conf, all I see in the log is that
>
> 2019-01-29 21:44:45.095 CET [41929] LOG: no match in usermap "foo" for
> user "foobar" authenticated as "foobar"
> 2019-01-29 21:44:45.095 CET [41929] FATAL: Peer authentication failed
> for user "foobar"
> 2019-01-29 21:44:45.095 CET [41929] DETAIL: Connection matched
> pg_hba.conf line 79: "local all all peer map=foo"
>
> Bummer. I also tried various regexes, even the likes of /^(.*)$, but the
> log ALWAYS says no match. The weird thing is that this is the log
> content even if there's nothing in pg_ident.conf, so it's like postgres
> doesn't even care about what's in there.
Is ident_file set to something else?:
https://www.postgresql.org/docs/11/runtime-config-file-locations.html#GUC-IDENT-FILE
>
> Any ideas?
>
> Regards,
>
> Viktor
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
From | Date | Subject | |
---|---|---|---|
Next Message | Adrian Klaver | 2019-01-29 21:44:42 | Re: How to set parameters in 'options'? |
Previous Message | Tim Cross | 2019-01-29 21:20:26 | Re: Revoke SQL doesn't take effect |