Search Postgresql Archives

Re: User Name Maps seem broken in 11.1 on CentOS 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/29/19 1:11 PM, Viktor Berke wrote:
Hi,

After some talk with the helpful folks of #postgresql I see no other option but to ask here. I'm trying to set up proper authentication for our corprorate users. They'll access postgres both from their workstations via TCP, and also locally. Locally, they're authenticated using SSSD which in turn is using LDAP to talk to our Active Directory DCs. That's not very relevant, but I just wanted to explain precisely.

Anyhow, we try to enforce the "user.name@xxxxxxxxxxx" login wherever we can, so this is how I set up LDAP auth:

hostssl all all 10.1.0.1/16 ldap ldapserver=dc2.ad.foobar.com ldapport=636 ldapscheme=ldaps ldaptls=0 ldapbinddn="CN=ldap,OU=Helpers,OU=Foobar,DC=ad,DC=foobar,DC=com" ldapbindpasswd=*** ldapsearchattribute=mail ldapbasedn="OU=Users,OU=Foobar,DC=ad,DC=foobar,DC=com"

This works perfectly fine. I create the role, e.g.:

CREATE ROLE "jane.doe@xxxxxxxxxx" CREATEDB CREATEROLE LOGIN;

Then she can log in fine via pgAdmin or whatever, using her email address.

Now I want to set up peer authentication locally, so that they don't have to enter their passwords all the time when they're already authenticated to the OS. The idea is that I map the local "jane.doe" OS user to the "jane.doe@xxxxxxxxxx" role already present in postgres. This way I don't have to CREATE ROLE and manage permissions both for jane.doe and jane.doe@xxxxxxxxxx. So the map would look something like this, I guess:

foo /^(.*)$ \1@foobar\.com (or something like that?)

And here comes the problem: user name maps seem completely non-functional. First I suspected it's a problem with the dot in usernames, but even if I create a local Unix user ("foobar") and set

local all all peer map=foo

in pg_hba.conf and

foo foobar postgres

In pg_ident.conf, all I see in the log is that

2019-01-29 21:44:45.095 CET [41929] LOG:  no match in usermap "foo" for user "foobar" authenticated as "foobar" 2019-01-29 21:44:45.095 CET [41929] FATAL:  Peer authentication failed for user "foobar" 2019-01-29 21:44:45.095 CET [41929] DETAIL:  Connection matched pg_hba.conf line 79: "local all all peer map=foo"

Bummer. I also tried various regexes, even the likes of /^(.*)$, but the log ALWAYS says no match. The weird thing is that this is the log content even if there's nothing in pg_ident.conf, so it's like postgres doesn't even care about what's in there.

Is ident_file set to something else?:

https://www.postgresql.org/docs/11/runtime-config-file-locations.html#GUC-IDENT-FILE


Any ideas?

Regards,

Viktor


--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux