RE: PGAdmin with Postgres backend and web auth

For anyone interested in this issue:

https://github.com/pgadmin-org/pgadmin4/issues/7728

Scot Kreienkamp | Applications Infrastructure Architect | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | • (734) 384-6403 | | • 1-734-915-1444 | Email: Scot(dot)Kreienkamp(at)la-z-boy(dot)com

From: Scot Kreienkamp <Scot(dot)Kreienkamp(at)la-z-boy(dot)com>
Sent: Thursday, July 18, 2024 8:34 AM
To: Yogesh Mahajan <yogesh(dot)mahajan(at)enterprisedb(dot)com>
Cc: pgadmin-support(at)lists(dot)postgresql(dot)org
Subject: RE: PGAdmin with Postgres backend and web auth

I have tried the private window.. it makes no difference. I’ve also tried changing the working instance to using the latest image, which then doesn’t work. I’m using the same config for both versions, it works on the older version but not the latest version. The only difference between the two is the port.

Here’s the HTTPD config:

<VirtualHost *:8080>
SSLEngine on
SSLCertificateFile /etc/ssl/wildcard.crt
SSLCertificateKeyFile /etc/ssl/wildcard.key
ProxyPass / http://127.0.0.1:8080/ retry=0
ProxyPassReverse / http://127.0.0.1:8080/ retry=0
<LocationMatch "^(?!/dologin.html|/4C-Vertical.jpg)" >
AuthType form
AuthName "Login Required"
AuthFormLoginRequiredLocation https://%{SERVER_NAME}/dologin.html<https://%25%7bSERVER_NAME%7d/dologin.html>
AuthFormLoginSuccessLocation https://%{SERVER_NAME}/<https://%25%7bSERVER_NAME%7d/>
AuthFormProvider ldap-vip ldap-na
AuthFormLogoutLocation https://%{SERVER_NAME}/login.html<https://%25%7bSERVER_NAME%7d/login.html>
#Redirect to login.html for anything unauthorized
ErrorDocument 401 "/dologin.html"
Require valid-user
Session On
SessionCookieName session path=/
RewriteEngine on
RewriteCond %{REMOTE_USER} (.*)
RewriteRule .* - [E=X_REMOTE_USER:%1]
RequestHeader set REMOTE_USER %{X_REMOTE_USER}e
</LocationMatch>
<Location /dologin>
SetHandler form-login-handler
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</Location>

Scot Kreienkamp | Applications Infrastructure Architect | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | • (734) 384-6403 | | • 1-734-915-1444 | Email: Scot(dot)Kreienkamp(at)la-z-boy(dot)com<mailto:Scot(dot)Kreienkamp(at)la-z-boy(dot)com>

From: Yogesh Mahajan <yogesh(dot)mahajan(at)enterprisedb(dot)com<mailto:yogesh(dot)mahajan(at)enterprisedb(dot)com>>
Sent: Thursday, July 18, 2024 2:44 AM
To: Scot Kreienkamp <Scot(dot)Kreienkamp(at)la-z-boy(dot)com<mailto:Scot(dot)Kreienkamp(at)la-z-boy(dot)com>>
Cc: pgadmin-support(at)lists(dot)postgresql(dot)org<mailto:pgadmin-support(at)lists(dot)postgresql(dot)org>
Subject: Re: PGAdmin with Postgres backend and web auth

You don't often get email from yogesh(dot)mahajan(at)enterprisedb(dot)com<mailto:yogesh(dot)mahajan(at)enterprisedb(dot)com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>

Hi,

Have you tried using a private window? Also can you please share your HTTPD conf?

Thanks,
Yogesh Mahajan
EnterpriseDB

On Thu, Jul 18, 2024 at 1:13 AM Scot Kreienkamp <Scot(dot)Kreienkamp(at)la-z-boy(dot)com<mailto:Scot(dot)Kreienkamp(at)la-z-boy(dot)com>> wrote:
Hi list, I’m trying to setup two versions of PGAdmin, 6.12 and latest, using dockerhub images running on RH9. I’m fronting this with HTTPD as a reverse proxy and authentication layer.

Here’s the commandline I’m using to run both versions:

/usr/bin/podman run \
-e PGADMIN_DEFAULT_EMAIL=$MYEMAIL \
-e "PGADMIN_DEFAULT_PASSWORD=$PASSWORD" \
-e "PGADMIN_CONFIG_AUTHENTICATION_SOURCES=['webserver']" \
-e PGADMIN_CONFIG_WEBSERVER_AUTO_CREATE_USER=True \
-e PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED=False \
-e "PGADMIN_CONFIG_CONFIG_DATABASE_URI='postgresql://$PGUSER:$PGPASS(at)$PGHOST:5432/$PGDB" \
-e 'PGADMIN_CONFIG_CONSOLE_LOG_LEVEL=10' \
--conmon-pidfile %t/%n-pid \
--cidfile %t/%n-cid \
--privileged \
-p 127.0.0.1:8081:80 \
-v /var/lib/pgadmin/%N:/var/lib/pgadmin \
--name %N \
docker.io/dpage/pgadmin4:$VERSION<http://docker.io/dpage/pgadmin4:$VERSION>

This works perfectly with 6.12. I can connect with the web browser and go to PGAdmin, and I’m logged in as I expected to be.

With latest I keep getting the messages “webserver authenticate failed” from PGAdmin, and I keep landing at the PGAdmin login screen despite having internal authentication disabled.

I’m seeing these syslog messages:
Jul 17 15:06:11 pgadmin.na.lzb.hq pgadmin[452429]: 2024-07-17 19:06:11,292: DEBUG pgadmin: Authentication initiated via source: webserver
Jul 17 15:06:11 pgadmin.na.lzb.hq pgadmin.service[452271]: 2024-07-17 19:06:11,292: DEBUG pgadmin: Authentication initiated via source: webserver
Jul 17 15:06:11 pgadmin.na.lzb.hq pgadmin[452429]: 2024-07-17 19:06:11,293: DEBUG pgadmin: Authentication initiated via source: webserver is failed.
Jul 17 15:06:11 pgadmin.na.lzb.hq pgadmin.service[452271]: 2024-07-17 19:06:11,293: DEBUG pgadmin: Authentication initiated via source: webserver is failed.

I thought maybe it wasn’t picking up the default email and password so I tried every combination I could think of for quoting default email and password, with no improvement. The default email and password don’t work on the login screen and I never get into PGAdmin. I can’t figure out why it works on the old version but not the new version. I know I don’t need the mount on /var/lib/pgadmin with the database, that’s just there because I haven’t taken it out yet. With the database config that directory is empty anyway.

Any ideas?

Scot Kreienkamp | Applications Infrastructure Architect | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | • (734) 384-6403 | | • 1-734-915-1444 | • Scot(dot)Kreienkamp(at)la-z-boy(dot)com<mailto:Scot(dot)Kreienkamp(at)la-z-boy(dot)com>
www.la-z-boy.com<http://www.la-z-boy.com> | facebook.com/lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<http://twitter.com/lazboy> | youtube.com/lazboy<http://youtube.com/lazboy>
[cid:image001(dot)png(at)01DADC23(dot)42628590]

This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.