Re: PAM LDAP CREATE USER

> From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
> Aaron_Wright(at)selinc(dot)com writes:
> > I recently upgraded from 8.4 to 9.3, and my custom LDAP PAM module no
> > longer works.
>
> 8.4.what and 9.3.what?

8.4.16 to 9.3.4

> Have you checked the behavior in any other releases?

Not yet. I was interested in getting a laugh test from the mailing list
first; to see if I was completely off my rocker or not.

> > In brief, my LDAP PAM module authenticates a centralized user and then

> > creates a matching database user, using a separate super user
connection
> > to the database, before returning successfully from the PAM module.
This
> > used to work beautifully, but now I get a FATAL error, "role %s does
not
> > exist".
>
> That seems mighty Rube Goldbergian

From what I've researched this is the only way to accomplish what I'm
trying to. Everything I read online keeps telling me that in order for
LDAP to work with postgresql, the user must already exist in the database.
Most of the workarounds for this, involve a cron job that sucks up the
entire directory of users and creates matching users in the database
periodically.

That seems a little crazy to me, so I have a PAM LDAP module which creates
the users on the fly.

> ... but it's not clear why it used to
> work and doesn't anymore. If you'd said 9.4 I'd have guessed at a
corner
> case in catalog snapshot invalidation, but I think 9.3 would just be
> looking for the role with SnapshotNow, which should pretty much always
> work. (You're sure the transaction in the background is getting
committed
> in time, right? And it's being sent to the 9.3 DB not the 8.4 one?)

The PAM LDAP module uses PQconnectdb to create a super user connection to
the database. It uses PQexec to run "CREATE USER 'user' PASSWORD NULL IN
ROLE 'role';". And finishes up with a PQfinish before PAM_SUCCESS is
returned to postgres. I'm a bit limited in my database knowledge, so
please let me know if that sequence is leaving something dangling. I see
the "CREATE USER" query in the pg_log file.

Also, if I try to log in a second time, it works fine. This is presumably
because the user now exists.

> Also, just to clarify: this is a PAM auth module that just happens to
talk
> to some LDAP server behind the scenes, right? If Postgres thinks this
is
> LDAP auth method then some other possibilities open up --- but AFAICS
> we've not touched the PAM code since 8.4.2.

You're correct, this is a PAM auth module that handles talking to the LDAP
server and authenticating the user.

pg_hba.conf line includes "host all all 0.0.0.0/0 pam pamservice=..." and
there's a matching pam configuration file.

I'm not familiar with the "LDAP auth method", but I don't think I can use
that as the documents say, "user must already exist" in that situation,
which is the same problem I'm trying to fix.

> regards, tom lane