| From: | "Zechman, Derek S" <Derek(dot)S(dot)Zechman(at)snapon(dot)com> |
|---|---|
| To: | "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | pg_hba.conf "authentication file token too long, skipping" |
| Date: | 2023-07-24 15:05:15 |
| Message-ID: | PH0PR04MB8294A4C5A65D9D492CBBD349C002A@PH0PR04MB8294.namprd04.prod.outlook.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hello and thank you in advance for your time.
* We use ldap to authenticate users.
* We utilize ldapsearchfilter to look for a user in a specified Security Group.
* Some clusters have multiple security groups that have been authorized to login.
* It seems that after we have more than 2 security groups we hit limit on the pg_hba entry length
* Here is our entry - I have put x's that correspond to exact character lengths. Our ldapbindpasswd is 30 characters
hostssl all +fnc_personal_account_rl XXX.XX.X.X/16 ldap ldapserver=xxxx-xxxx-xx-xx.mydomainname.com ldapbasedn="OU=Users,OU=Primary,OU=All,DC=mydomainname,DC=com" ldapbinddn="CN=abc_postgres_sa,OU=T1-ServiceAccounts,OU=Tier1,OU=Admin,OU=All,DC=mydomainname,DC=com" ldapbindpasswd="30characterpassword" ldapsearchfilter="(&(objectClass=user)(sAMAccountName=$username)(|(memberof=CN=xxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=XxxxxxXXXx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=xxxxxxxxxxxxxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)))"
* And then here is the error that we get with reload. If we stop and then try to start the cluster will not start at all.
2023-07-24 10:30:01.063 EDT,,,720234,,64be8ac0.afd6a,7,,2023-07-24 10:29:20 EDT,,0,LOG,00000,"received SIGHUP, reloading configuration files",,,,,,,,"SIGHUP_handler, postmaster.c:2717","","postmaster",,0
2023-07-24 10:30:01.064 EDT,,,720234,,64be8ac0.afd6a,8,,2023-07-24 10:29:20 EDT,,0,LOG,F0000,"authentication file token too long, skipping: ""ldapsearchfilter=(&(objectClass=user)(sAMAccountName=$username)(|(memberof=CN=xxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=XxxxxxXXXx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=xxxxxxxxxxxxxx,OU=Groups,OU=Primar""",,,,,,,,"next_token, hba.c:242","","postmaster",,0
2023-07-24 10:30:01.064 EDT,,,720234,,64be8ac0.afd6a,9,,2023-07-24 10:29:20 EDT,,0,LOG,00000,"pg_hba.conf was not reloaded",,,,,,,,"SIGHUP_handler, postmaster.c:2743","","postmaster",,0
Here is my relevant environment details:
postgres --version (have tried on both below versions - same error)
postgres (PostgreSQL) 14.8
postgres (PostgreSQL) 15.3
NAME="Red Hat Enterprise Linux"
VERSION="8.8 (Ootpa)"
Kernel - 4.18.0-477.15.1.el8_8.x86_64
* This entry works - which only has 2 Security groups defined
hostssl all +fnc_personal_account_rl XXX.XX.X.X/16 ldap ldapserver=xxxx-xxxx-xx-xx.mydomainname.com ldapbasedn="OU=Users,OU=Primary,OU=All,DC=mydomainname,DC=com" ldapbinddn="CN=abc_postgres_sa,OU=T1-ServiceAccounts,OU=Tier1,OU=Admin,OU=All,DC=mydomainname,DC=com" ldapbindpasswd="30characterpassword" ldapsearchfilter="(&(objectClass=user)(sAMAccountName=$username)(|(memberof=CN=XxxxxxXXXx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=xxxxxxxxxxxxxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)))"
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2023-07-24 16:51:35 | Re: pg_hba.conf "authentication file token too long, skipping" |
| Previous Message | Masahiko Sawada | 2023-07-24 01:39:54 | Re: BUG #18031: Segmentation fault after deadlock within VACUUM's parallel worker |