Thanks for the input Stephen, we are using active directory.
- Sathesh
From: Stephen Frost <sfrost@xxxxxxxxxxx>
Sent: Wednesday, February 14, 2018 7:51:06 PM
To: Sathesh S
Cc: pgsql-admin@xxxxxxxxxxxxxx
Subject: Re: Disable /Suppress hostname checks while secured LDAP
Sent: Wednesday, February 14, 2018 7:51:06 PM
To: Sathesh S
Cc: pgsql-admin@xxxxxxxxxxxxxx
Subject: Re: Disable /Suppress hostname checks while secured LDAP
Greetings,
* Sathesh S (sathesh.sundaram@xxxxxxxxxxx) wrote:
> Is there a way to disable/suppress hostname checks in while using Secured LDAP in postgreSQL for authentication.
>
> The issue what we have is that the LDAP certificate what we are using is working for fully qualified named of the domain but not when we use a direct LDAP server in the pg_ba.conf file.
>
> For example:
> This works - ldapserver="ldaps//dummy.company.com"
>
> This doesnt work - ldapserver="server1.dummy.company.com"
>
> Our internal LDAP team says that we nees to disable/suppress the hostname checking on the postgreSQL side for the 2nd option to work.
>
> Does anyone have an idea on how we can suppress hostnames check while using Secured LDAP.
This really isn't recommended because the point of the hostname check is
to verify that you're actually talking to the server you intended to.
What LDAP server are you using though..? If this is in an Active
Directory environment, or any environment where you have Kerberos
available, then you should be using Kerberos and *not* using LDAP (or
even LDAPS) for authentication as it isn't nearly as secure.
Thanks!
Stephen
* Sathesh S (sathesh.sundaram@xxxxxxxxxxx) wrote:
> Is there a way to disable/suppress hostname checks in while using Secured LDAP in postgreSQL for authentication.
>
> The issue what we have is that the LDAP certificate what we are using is working for fully qualified named of the domain but not when we use a direct LDAP server in the pg_ba.conf file.
>
> For example:
> This works - ldapserver="ldaps//dummy.company.com"
>
> This doesnt work - ldapserver="server1.dummy.company.com"
>
> Our internal LDAP team says that we nees to disable/suppress the hostname checking on the postgreSQL side for the 2nd option to work.
>
> Does anyone have an idea on how we can suppress hostnames check while using Secured LDAP.
This really isn't recommended because the point of the hostname check is
to verify that you're actually talking to the server you intended to.
What LDAP server are you using though..? If this is in an Active
Directory environment, or any environment where you have Kerberos
available, then you should be using Kerberos and *not* using LDAP (or
even LDAPS) for authentication as it isn't nearly as secure.
Thanks!
Stephen