| From: | Marco Cuccato <mcuccato(dot)vts(at)gmail(dot)com> |
|---|---|
| To: | Thomas Munro <thomas(dot)munro(at)gmail(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: LDAPS trusted ca support |
| Date: | 2019-11-25 15:35:28 |
| Message-ID: | CACg0f4aGJ7mi4nF1pYJzWnk-C7hzRzTPfL7N0JcT-L1fgEFjNQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Ok sorry for the mail before I misunderstood your suggestion.
I verified the ldap.conf file and the TLS_CACERT parameter points to a PEM
file which already contains the certificate that signs the LDAP server
certificate.
Il giorno lun 25 nov 2019 alle ore 16:07 Marco Cuccato <
mcuccato(dot)vts(at)gmail(dot)com> ha scritto:
> Hi,
> unfortunately I cannot modify the company's LDAP server configuration.
> The only way is to configure my PGSQL instance which is a client of LDAP
> server.
> As the server, at the connection time, presents it's certificate, I need a
> way to tell PGSQL to trust it, adding somewhere the root CA certificate
> that's used to sign the LDAP certificate.
> At system level (a Red Hat 7.6 server), the root CA self-signed
> certificate is already added as CA to be trusted, but seems PGSQL ignore
> that.
> What can I do?
> Thanks
>
> Il giorno mar 19 nov 2019 alle ore 11:34 Thomas Munro <
> thomas(dot)munro(at)gmail(dot)com> ha scritto:
>
>> On Sat, Nov 16, 2019 at 10:50 AM Marco Cuccato <mcuccato(dot)vts(at)gmail(dot)com>
>> wrote:
>> > Hi to all and thanks for the great job you're doing with PGSQL!
>> > May you please check this question?
>> >
>> https://stackoverflow.com/questions/58747680/postgresql-ldap-authentication-with-ssl-self-signed-certificate
>> > I can't figure out :(
>>
>> Hi,
>>
>> There are a bunch of files with names like ldap.conf that are searched
>> for configuration by libldap.so (depending how it was built).
>> https://www.openldap.org/software/man.cgi?query=ldap.conf describes
>> the options.
>>
>> For example, in the automated regression tests we just put the
>> following into a file we point to with $LDAPCONF:
>>
>> TLS_REQCERT never
>>
>> Without that, our simple LDAPS test fails with the same error you
>> showed. Of course you probably want to actually verify your real
>> server's certificate, so perhaps you need to put the self-signed cert
>> into TLS_CACERT (so it's trusted as a CA to sign stuff, including
>> itself).
>>
>> I'm not sure why command line ldapsearch is working for you. I'd try
>> using strace/truss to see what files it's opening to get that stuff,
>> and compare with PostgreSQL (trace the main postmaster process using
>> -f to follow children, and then try to log in).
>>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Manuel Rigger | 2019-11-25 20:22:50 | Re: ALTER TABLE fails when changing column type due to index with bit_ops opclass |
| Previous Message | Marco Cuccato | 2019-11-25 15:07:48 | Re: LDAPS trusted ca support |