Re: Secured ldap connectivity between PostgreSQL and LDAPs server

Greetings Chiru, Adam,

* chiru r (chirupg@gmail.com) wrote:
> We are using LDAP authentication for authenticating users in PostgreSQL on
> Linux server and we are able to authenticate successfully.

What LDAP server are you connecting to for authentication..?  If you're
using Active Directory then you really should be using Kerberos/GSSAPI,
not LDAP (or LDAPS).  With LDAP-based authentication, the user's
password is sent in cleartext (or tunneled cleartext if you're using
SSL) and then used by the server to try to validate the user in LDAP.
That's much worse from a security perspective than using Kerberos/GSSAPI
and in an AD environment, Kerberos is already set up and available.

> However we want to configure secured LDAP (LDAPS) by using Certificates.

Are you looking to have client-side certificates, or do you just want to
validate the LDAP server's certificate?

> Please help me i have couple of  questions to configuring LDAPS.
>
> 1. Which location we need to keep the LDAPs Certificate files in PostgreSQL
> Linux server ?.

On Linux, PostgreSQL will be using ldap_start_tls_s() if you have
ldaptls=1 and then it's up to the LDAP library you've built your
PostgreSQL server against how to deal with anything further.  Most
likely this is OpenLDAP and it'll be built against OpenSSL or GNUTLS and
you'll have some system-wide certificate store which you can place the
CA's certificate into (eg: /etc/ssl).

> 2. Do we need to change any configuration file for certificate references
> on Linux server ? .

Not likely.  If you do, though, it'd be in either the configuration for
OpenLDAP or for the SSL library it's built against (as installed on your
system).

> 2. What need to be changed in Postgresql.conf file and pg_hba.conf file ?

ldaptls=1 is the main thing to get PG to use ldap_start_tls_s().

* Adam Tauno Williams (awilliam@whitemice.org) wrote:
> On Fri, 2017-12-08 at 07:40 -0500, chiru r wrote:
> > We are using LDAP authentication for authenticating users in
> > PostgreSQL on Linux server and we are able to authenticate
> > successfully. 
>
> Then one presumes you are using PAM (?) for password authentication -
> this question is really about pam_ldap, it is not specific to
> PostgreSQL in any way.  

I'm not sure why you're thinking this involves PAM at all, PostgreSQL
supports the ability to authenticate users against an LDAP directory
directly.  Not that it's a good idea, because it isn't, as discussed
above.

pam_ldap *could* be used, but definitely my assumption going in here is
that the pg_hba.conf has been configured to use the 'ldap' auth method,
not the 'pam' auth method.  Hopefully that's the case, or most of what
I've gone through here isn't accurate and we'd have to get into talking
about PAM. ;)

> > Please help me i have couple of  questions to configuring LDAPS. 
> > 1. Which location we need to keep the LDAPs Certificate files in
> > PostgreSQL Linux server ?.
> > 2. Do we need to change any configuration file for certificate
> > references on Linux server ? .
>
> The server should be configured to recognize certificates signed by
> whatever authority you are using - where they go to do that depends on
> your distribution.  Usually that involves putting the signing
> certificate somewhere like /usr/share/pki/ca-trust-source/anchors/ and
> running "update-ca-trust".  If your server already recognizes your CA
> you don't need to do anything other than changing PAM to use LDAPS.

Right, though this will depend on the specific Linux distribution, of
course.

> > 2. What need to be changed in Postgresql.conf file and pg_hba.conf
> > file ? 
>
> Nothing, PostgreSQL just calls the PAM library.  It does not care what
> happens beneath that.

PostgreSQL calls into the OpenLDAP library, as discussed above, at least
when the 'ldap' auth method is being used.

Thanks!

Stephen