Richard Esmonde wrote:
I'm new to PostGres (so go easy on my naivety). I am trying to configure
the postgres host based configuration file to permit users to authenticate
against our Active Directory.
OK. Never tried that myself, but let's see.
Needless to say both Ubuntu server and AD are in the same Domain.
. I am running PostGRESQL v8.3.7 on a 64-Bit Ubuntu Hardy Heron Dell
server with Apache 2.
. I am not running SSL.
. This work is happening on a LAN. My AD server=master1 and the
LAN=belfry.lan
. I installed Postgres as follow:
o # sudo apt-get install postgresql-8.3 postgresql-client-8.3
postgresql-client-common postgresql-common
All good info. Grab yourself a copy of the source from postgresql.org
too when you have time. Always useful to have a copy. Oh and "ack" too
(package is "ack-grep" on Ubuntu I think) - it's an improved version of
grep.
It runs just fine and I can create databases users and tables with no
problems.
Currently, the end of my pg_hba.conf file looks like:
Nothing leaping out at me here. One thing to be aware of is that PG will
try the first authentication method that matches host+db and not try any
further ones.
I created a testuser and a test database. The user, testuser exists in my
Active directory with a different password. I can connect as testuser to
the DB via command line or via pgAdmin111 with the postgres password for
testuser. When I try to connect using the users LDAP password I always get:
. psql: FATAL: password authentication failed for user testuser
Well, I'd expect LDAP to be mentioned somewhere. Using my source tree,
ack and might powers of C knowledge:
backend/libpq/auth.c
case uaMD5:
case uaCrypt:
case uaPassword:
errstr = gettext_noop("password authentication failed for
user \"%s\"");
Looks to me like we're still using md5/password, and indeed a few lines
down is the error we should be seeing:
#ifdef USE_LDAP
case uaLDAP:
errstr = gettext_noop("LDAP authentication failed for user
\"%s\"");
break;
#endif /* USE_LDAP */
default:
errstr = gettext_noop("authentication failed for user
\"%s\": invalid authentication method");
break;
It also seems that if Ubuntu's installation didn't support ldap we'd see
the last error message.
I think your host must be matching the "password" line in pg_hba.conf
Oh - two more points.
1. I didn't see anything authentication-related in your logs either.
Plenty of connection startup stuff, but no auth.
2. Wireshark is a handy tool for this sort of thing. It's a network
analyser - point it at port 389 and see what it comes up with.
--
Richard Huxton
Archonet Ltd
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
