On Wed, 2020-04-01 at 10:29 +0000, Anjul Tyagi wrote: > we are implementing the LDAP authentication and we are able to connect with LDAP and able to > authenticate the user with that. However we have 2 type of users, one - corporate users and > available of Active Directory and second application user, which is used by different > application to connect with database. > > Below entry i did in the pg_hba.conf file, if i create user in DB (similar exist on AD) it works. > However if i create one user with password, it calls the LDAP server for authentication > and fails as it does not exists in AD. > > host all all 0.0.0.0/0 ldap ldapserver=<LDAL Server> ldapbasedn="OU=Corporate,DC=etch,dc=com" ldapbinddn="CN=AdSyncAcct,OU=Service Accounts,DC=etch,DC=com" > ldapbindpasswd="Password" ldapsearchattribute="sAMAccountName" > > we are using the postgres 10.10 version. > > can you please suggest the pg_hba.conf file entry, that will help us to authenticate the users > from LDAP and from postgres as well. Create a NOLOGIN role "ldapusers" in PostgreSQL and assign the users to authenticate with LDAP to that group. Then use two lines in pg_hba.conf: host all +ldapusers 0.0.0.0/0 ldap ... host all all 0.0.0.0/0 scram-sha-256 All users in the "ldapusers" group will be authenticated with LDAP, and the others will "fall through" to the password authentication. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
