On 2/25/20 10:08 AM, Mani Sankar wrote:
Hi Adrian,
Should I want to try this configuration?
I thought you where already using this configuration?
Are the 9.4 and 11.5 instances are on the same machine and/or network?
In other words is ldapserver=XXXXXXXXXXXXXXX pointing at the same thing?
Regards,
Mani.
On Tue, 25 Feb, 2020, 9:24 pm Adrian Klaver, <adrian.klaver@xxxxxxxxxxx
<mailto:adrian.klaver@xxxxxxxxxxx>> wrote:
On 2/24/20 9:07 PM, Mani Sankar wrote:
Please reply to list also.
Ccing list.
> Hi Adrian,
>
> Thanks for replying. Below are the requested details.
>
> ################ Configuration in 9.4 PG Version
>
> local all all ldap ldapserver=XXXXXXXXXXXXXX ldapport=3268
> ldapprefix="ADS\" ldapsuffix="" ldaptls=1
>
> host all someuser xx.xx.xx.xx/32 ldap ldapserver=XXXXXXXXXXXXXXX
> ldapport=3268 ldapprefix="ADS\" ldapsuffix="" ldaptls=1
>
> host all someuser ::1/128 ldap ldapserver=XXXXXXXXXXXXXXX
ldapport=3268
> ldapprefix="ADS\" ldapsuffix="" ldaptls=1
>
> host all all 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> ldap
> ldapserver=XXXXXXXXXXXXXXX ldapport=3268 ldapprefix="ADS\"
ldapsuffix=""
> ldaptls=1
>
> host all all ::1/128 ldap ldapserver=XXXXXXXXXXXXXXX ldapport=3268
> ldapprefix="ADS\" ldapsuffix="" ldaptls=1
>
> host replication someuser 0.0.0.0/0 <http://0.0.0.0/0>
<http://0.0.0.0/0> ldap
> ldapserver=XXXXXXXXXXXXXXX ldapport=3268 ldapprefix="ADS\"
ldapsuffix=""
> ldaptls=1
>
> host replication someuser 0.0.0.0/0 <http://0.0.0.0/0>
<http://0.0.0.0/0> ldap
> ldapserver=XXXXXXXXXXXXXXX ldapport=3268 ldapprefix="ADS\"
ldapsuffix=""
> ldaptls=1
>
> ############ Configuration in 11.5 Version.
>
> local all all ldap ldapserver=XXXXXXXXXXXXXXX ldapport=3268
> ldapprefix="ADS\" ldapsuffix="" ldaptls=1
>
> host all someuser xx.xx.xx.xx/32 ldap ldapserver=XXXXXXXXXXXXXXX
> ldapport=3268 ldapprefix="ADS\" ldapsuffix="" ldaptls=1
>
> host all someuser ::1/128 ldap ldapserver=XXXXXXXXXXXXXXX
ldapport=3268
> ldapprefix="ADS\" ldapsuffix="" ldaptls=1
>
> host all all 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> ldap
> ldapserver=XXXXXXXXXXXXXXX ldapport=3268 ldapprefix="ADS\"
ldapsuffix=""
> ldaptls=1
>
> host all all ::1/128 ldap ldapserver=XXXXXXXXXXXXXXX ldapport=3268
> ldapprefix="ADS\" ldapsuffix="" ldaptls=1
>
> host replication someuser 0.0.0.0/0 <http://0.0.0.0/0>
<http://0.0.0.0/0> ldap
> ldapserver=XXXXXXXXXXXXXXX ldapport=3268 ldapprefix="ADS\"
ldapsuffix=""
> ldaptls=1
>
> host replication someuser 0.0.0.0/0 <http://0.0.0.0/0>
<http://0.0.0.0/0> ldap
> ldapserver=XXXXXXXXXXXXXXX ldapport=3268 ldapprefix="ADS\"
ldapsuffix=""
> ldaptls=1
>
> host replication someuser 0.0.0.0/0 <http://0.0.0.0/0>
<http://0.0.0.0/0> ldap
> ldapserver=XXXXXXXXXXXXXXX ldapport=3268 ldapprefix="ADS\"
ldapsuffix=""
> ldaptls=1
>
> host replication replicator XXXXXXXXXXXXX/22 md5
>
> host replication replicator 1XXXXXXXXXXXX/22 md5
>
> Linux Version: Red Hat Enterprise Linux Server release 6.10
(Santiago)
>
> Server Installation is Source code installation. Custom build for
our
> environment.
>
> Authentication logs from PG 11.5:
>
> 2020-02-24 00:00:15 MST [25089]:
>
application=[unknown],host=xx.xx.xxx.xx(55742),user=[unknown],db=[unknown],state=00000
> LOG: connection received: host=xx.xx.xxx.xx port=55742
>
> 2020-02-24 00:00:16 MST [25090]:
>
application=[unknown],host=xx.xx.xxx.xx(55748),user=[unknown],db=[unknown],state=00000
> LOG: connection received: host=xx.xx.xxx.xx port=55748
>
> 2020-02-24 00:00:16 MST [25092]:
>
application=[unknown],host=xx.xx.xxx.xx(55765),user=[unknown],db=[unknown],state=00000
> LOG: connection received: host=xx.xx.xxx.xx port=55765
>
> 2020-02-24 00:00:16 MST [25093]:
>
application=[unknown],host=xx.xx.xxx.xx(55770),user=[unknown],db=[unknown],state=00000
> LOG: connection received: host=xx.xx.xxx.xx port=55770
>
> 2020-02-24 00:00:17 MST [25090]:
>
application=[unknown],host=xx.xx.xxx.xx(55748),user=Someuser,db=test_db,state=00000
> LOG: connection authorized: user=Someuser database=test_db
>
> 2020-02-24 00:00:17 MST [25089]:
>
application=[unknown],host=xx.xx.xxx.xx(55742),user=Someuser,db=test_db,state=00000
> LOG: connection authorized: user=Someuser database=test_db
>
> 2020-02-24 00:00:17 MST [25092]:
>
application=[unknown],host=xx.xx.xxx.xx(55765),user=Someuser,db=test_db,state=00000
> LOG: connection authorized: user=Someuser database=test_db
>
> 2020-02-24 00:00:17 MST [25093]:
>
application=[unknown],host=xx.xx.xxx.xx(55770),user=Someuser,db=test_db,state=00000
> LOG: connection authorized: user=Someuser database=test_db
>
> Authentication logs from PG 9.4:
>
> 2020-02-17 22:40:01 MST [127575]:
>
application=[unknown],host=xx.xx.xx.xx(39451),user=[unknown],db=[unknown]
LOG:
> connection received: host=xx.xx.xx.xx port=39451
>
> 2020-02-17 22:40:01 MST [127575]:
>
application=[unknown],host=xx.xx.xx.xx(39451),user=Someuser,db=test_db
> LOG: connection authorized: user=Someuser database=test_db
>
> 2020-02-24 21:57:44 MST [117472]:
>
application=[unknown],host=xx.xx.xx.xx(58500),user=[unknown],db=[unknown]
LOG:
> connection received: host=xx.xx.xx.xx port=58500
>
> 2020-02-24 21:57:44 MST [117472]:
>
application=[unknown],host=xx.xx.xx.xx(58500),user=Someuser,db=test_db
> LOG: connection authorized: user=Someuser database=test_db
>
> 2020-02-24 21:58:27 MST [117620]:
>
application=[unknown],host=xx.xx.xx.xx(58520),user=[unknown],db=[unknown]
LOG:
> connection received: host=xx.xx.xx.xx port=58520
>
> 2020-02-24 21:58:27 MST [117620]:
>
application=[unknown],host=xx.xx.xx.xx(58520),user=Someuser,db=test_db
> LOG: connection authorized: user=Someuser database=test_db
>
> 2020-02-24 21:58:31 MST [117632]:
>
application=[unknown],host=xx.xx.xx.xx(58524),user=[unknown],db=[unknown]
LOG:
> connection received: host=xx.xx.xx.xx port=58524
>
> 2020-02-24 21:58:31 MST [117632]:
>
application=[unknown],host=xx.xx.xx.xx(58524),user=Someuser,db=test_db
> LOG: connection authorized: user=Someuser database=test_db
>
> We also have a local .ldaprc file with below entry
>
> TLS_REQCERT allow
>
>
> On Tue, Feb 25, 2020 at 2:28 AM Adrian Klaver
<adrian.klaver@xxxxxxxxxxx <mailto:adrian.klaver@xxxxxxxxxxx>
> <mailto:adrian.klaver@xxxxxxxxxxx
<mailto:adrian.klaver@xxxxxxxxxxx>>> wrote:
>
> On 2/24/20 11:50 AM, Mani Sankar wrote:
> > Hi All,
> >
> > We have recently upgraded our postgres servers from 9.4
version
> to 11.5
> > version. Post upgrade we are see delay in authentication.
> >
> > Issue is when we are using ldaptls=1 the authentication
takes 1
> second
> > or greater than that. But if I disable ldaptls it's getting
> > authenticated within milliseconds.
> >
> > But in 9.4 even if I enable ldaptls it's getting authenticated
> within
> > milliseconds any idea why we are facing the issue?
>
> This is going to need a good deal more information:
>
> 1) OS the server is running on and did the OS or OS version
change with
> the upgrade?
>
> 2) How was the server installed from packages(if so from
where?) or
> from
> source?
>
> 3) The configuration for LDAP in pg_hba.conf.
>
> 4) Pertinent information from the Postgres log.
>
> 5) Pertinent information from the system log.
>
> >
> > Regards,
> > Mani.
> >
>
>
> --
> Adrian Klaver
> adrian.klaver@xxxxxxxxxxx <mailto:adrian.klaver@xxxxxxxxxxx>
<mailto:adrian.klaver@xxxxxxxxxxx <mailto:adrian.klaver@xxxxxxxxxxx>>
>
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx <mailto:adrian.klaver@xxxxxxxxxxx>
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx
