Search Postgresql Archives

Re: [LDAPS] Test connection user with ldaps server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 2021-02-13 at 10:36 +0000, João Gaspar wrote:
> I have a PostgreSQL 13.1 (RHEL 8.3) Server and I want to configure the pg_hba.conf with a remote ldaps server.
> 
> My steps:
> 
> I create a PostgreSQL user1 with superuser role to test the ldaps authentication method in the terminal client.
> 
> Modify the pg_hba.conf to:
> 
> host    all             all             0.0.0.0/0               ldap    ldapurl="ldaps://serverurl:636/DC=company,DC=example,DC=com?sAMAccountName?sub" ldapbinddn="user-to-do-autentication-ldap-
> connection" ldapbindpasswd=" user-ldap-connection password-autentication" 
> 
> Save and restart the PostgreSQL service.
> 
> Try to connect with the terminal client with psql -h postgresqlremoteserverhost -U user1 and after putting the password give the following error:
> psql: FATAL:  LDAP authentication failed for user "user1"
> 
> I validate the ldap user1 with ldapsearch (in the RHEL host) and the user1 appears in the ldapsearch correctly using the same ldapurl, ldapbinddn and ldapbinpasswd.
> 
> Checking the remote postgresql logs, the connection to the remote ldaps do the correct authentication but can´t search by the attribute sAMAccountName. Here is the PostgreSQL log:
> could not search LDAP for filter "(sAMAccountName=user1)" on server "serverurl": Operations error 2021-02-13 10:02:54.679 WET [1127801] DETAIL:  LDAP diagnostics: 000004DC: LdapErr: DSID-0C0907E9,
> comment: To perform this operation a successful bind must be completed on the connection., data 0, v2580
> 
> Info: The user1 was created as well in the ldaps server with sAMAccountName user1.  
> 
> It seems that the problem is in the pg_hba.conf how to tell the search, can anyone have similar problem ou resolution?

That error looks strange to me, but I am not an LDAP expert.

Your configuration seems fine to me, and if it gets to search, it must have bound to
"DC=company,DC=example,DC=com?sAMAccountName" as the "ldapbinddn" first.

What I would do is experiment with the "ldapsearch" executable from OpenLDAP and see
if you can reproduce the problem from the command line.

Yours,
Laurenz Albe
-- 
Cybertec | https://www.cybertec-postgresql.com
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux