From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
---|---|
To: | Anjul Tyagi <anjul(at)ibosstech-us(dot)com>, pgsql-admin <pgsql-admin(at)postgresql(dot)org> |
Subject: | Re: LDAP Configuration |
Date: | 2020-04-01 11:33:04 |
Message-ID: | d57dc066aa37cf87be2d0c9936f0d43557ba4be9.camel@cybertec.at |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
On Wed, 2020-04-01 at 10:29 +0000, Anjul Tyagi wrote:
> we are implementing the LDAP authentication and we are able to connect with LDAP and able to
> authenticate the user with that. However we have 2 type of users, one - corporate users and
> available of Active Directory and second application user, which is used by different
> application to connect with database.
>
> Below entry i did in the pg_hba.conf file, if i create user in DB (similar exist on AD) it works.
> However if i create one user with password, it calls the LDAP server for authentication
> and fails as it does not exists in AD.
>
> host all all 0.0.0.0/0 ldap ldapserver=<LDAL Server> ldapbasedn="OU=Corporate,DC=etch,dc=com" ldapbinddn="CN=AdSyncAcct,OU=Service Accounts,DC=etch,DC=com"
> ldapbindpasswd="Password" ldapsearchattribute="sAMAccountName"
>
> we are using the postgres 10.10 version.
>
> can you please suggest the pg_hba.conf file entry, that will help us to authenticate the users
> from LDAP and from postgres as well.
Create a NOLOGIN role "ldapusers" in PostgreSQL and assign the users to authenticate
with LDAP to that group.
Then use two lines in pg_hba.conf:
host all +ldapusers 0.0.0.0/0 ldap ...
host all all 0.0.0.0/0 scram-sha-256
All users in the "ldapusers" group will be authenticated with LDAP,
and the others will "fall through" to the password authentication.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
From | Date | Subject | |
---|---|---|---|
Next Message | Anjul Tyagi | 2020-04-01 11:49:47 | Re: LDAP Configuration |
Previous Message | Anjul Tyagi | 2020-04-01 10:29:35 | LDAP Configuration |