From: | Marco Cuccato <mcuccato(dot)vts(at)gmail(dot)com> |
---|---|
To: | Thomas Munro <thomas(dot)munro(at)gmail(dot)com> |
Cc: | pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: LDAPS trusted ca support |
Date: | 2019-12-02 15:37:30 |
Message-ID: | CACg0f4bODC3tF0XMxqO4qs5y2j2C-=8LYdaZo=dxy6gDQfQHDQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
For the records, to avoid setting more permissions to ldap.conf, it enough
to add the following line
Environment=LDAPTLS_CACERT=/var/lib/pgsql/12/data/my-root-ca.pem
To the systemd's postgresql-12.service file!
Thanks again,
Il giorno lun 2 dic 2019 alle ore 14:13 Marco Cuccato <
mcuccato(dot)vts(at)gmail(dot)com> ha scritto:
> Thanks Thomas,
> your suggestions put me on the right way.
> I was performing the ldapsearch as root and not as the postgresql user,
> that is the user that run postgres service.
> Thanks to ldapsearch debug, I found that this user was not able to read
> the /etc/openldap/ldap.conf file, which contains the TLS configuration
> properties such as TLS_CACERT, TLS_CACERTDIR and TLS_CACERTFILE that points
> to the needed self-signed certificate.
> After letting postgres user to read this file, the ldap authentication
> works.
> Just a precisation: ldapscheme=ldap with ldaptls=1 works, any other
> combination does not work.
> Thank you very much,
> Marco
>
> Il giorno lun 25 nov 2019 alle ore 22:33 Thomas Munro <
> thomas(dot)munro(at)gmail(dot)com> ha scritto:
>
>> On Tue, Nov 26, 2019 at 4:35 AM Marco Cuccato <mcuccato(dot)vts(at)gmail(dot)com>
>> wrote:
>> > Ok sorry for the mail before I misunderstood your suggestion.
>> > I verified the ldap.conf file and the TLS_CACERT parameter points to a
>> PEM file which already contains the certificate that signs the LDAP server
>> certificate.
>>
>> Here are some things I'd check: When you used the ldapsearch command,
>> did you use -ZZ? (Just -Z means something like try to use SSL but
>> don't worry if it doesn't work; -ZZ requires it to work). Does the
>> "postgres" user (assuming the RHEL packages use that to run
>> PostgreSQL) have permissions to read the files it needs to read? If
>> you become that user with su - postgres, can you use the "ldapsearch"
>> command successfully? If you do strace -f -p [postmaster], and then
>> try to log in with your LDAP-authenticated user, does it give you a
>> clue about what files it is accessing or failing to access, and then
>> if you compare "strace ldapsearch ...", does that give you a clue
>> about what is different? If you do ldd /path/to/postgres and ldd
>> /path/to/ldapsearch can you see that they're both using the same
>> libldap-XXX.so.Y (if they were using different OpenLDAP client
>> libraries they might have different .conf paths compiled into them)?
>>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2019-12-02 16:12:22 | Re: logical replication: could not create file "state.tmp": File exists |
Previous Message | Marco Cuccato | 2019-12-02 13:13:37 | Re: LDAPS trusted ca support |