Michael, * Michael O'Donnell (odonnellm@xxxxxxxx) wrote: > I am trying to authenticate PostgreSQL 9.0 login roles against LDAP/Active > directory (AD). PostgreSQL 9.0 is installed on a Windows 2008 R2 64bit. My > pg_hba.conf setting looks like the following: My first reaction to this, to be honest, is to ask why you're using LDAP-based authentication instead of SSPI/Kerberos-based authentication? Kerberos is supported and is a much better protocol that would, among other things, prevent the server from ever seeing an individual user's password. > When I use the following psql command I get an error: > C:\Windows\System32>psql -d <db> -U <user> -W > Password for user <user>: > psql: FATAL: password authentication failed for user "<user>" Since it works with a different user, I wonder if there's some issue just passing the username on the command-line; are you sure that the user shown in the error from psql matches what you're passing in? Have you checked the PostgreSQL server logs? Do you have anything in pg_ident.conf? > I have added the <user> to the login role and the user exists in AD. Not quite sure what you mean, exactly, by having the user added to the 'login' role, but you definitely want to make sure that the 'LOGIN' attribute is set for the role; eg: ALTER ROLE user WITH LOGIN; > If I use pyscopg2 (a python module that is commonly used for PostgreSQL > interaction), I can actually connect to the database using the settings > specified in the pg_hba.conf file shown above. If I use a false username, > the script fails. Therefore the script is behaving as I would expect, but > I am confussed why psql is behaving differently. This definitely makes me wonder if there's something weird with the user being passed on the command-line that's causing the issue. > 3. Is the transfer of the password automatically encrypted? I read in a > blog that using LDAP does not encrypt and I need to use SSL. I tried using > ldaptls=1 but this was causing a failure in postgres reading the conf. More specifics about this would help- the exact pg_hba.conf line, the exact error from the server logs, etc. Of course, just moving to Kerberos-based authentication would simplify this whole thing and remove all the LDAP fun.. Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature