Re: LDAP authentication failes with more than one entry returned

On 17/08/2017 16:58, Michael(dot)Haertel(at)t-systems(dot)com wrote:
>
> Hello list,
>
> I configured postgreSQL to only allow users that are administered in LDAP to connect to one particular database on my PostgreSQL host. This works fine as long as only one entry is returned for the
> combination of “ldapbasedn” and “ldapsearchattribute”.
>

Why don't you go the simple bind mode route? Just specify ldapprefix, ldapsuffix to construct your bind DN, this should by definition be unique.

> I currently match the LDAP attribute UID against the login name. Problem is that the users exist several times in the specified (sub-) directory tree. Everything works if the user only exists once
> within the specified “ldapbasedn”.
>
> How to deal with that problem?
>
> I think it is common practice to have several sub-trees, one per organizational unit for example. Within that OU there are several sub-trees that define privileges for SAMBA shares, database
> connections or other purposes. Because I need to search for the users across several OUs, I can’t give the path to only one sub-tree.
>
> I am currently on windows so I can’t test the ldapurl feature.
>
> Would it be possible to use the ldapurl directive to allow an ldapsearch across different 1^st level trees but only look for users within one particular sub-tree in each of the 1^st level trees?
>
> Thank you very much for your comments,
>
> Michael Härtel
>

--
Achilleas Mantzios
IT DEV Lead
IT DEPT
Dynacom Tankers Mgmt