Re: PostGres Config to Authenticate against AD over LDAP

Richard Esmonde wrote:
>
> I'm new to PostGres (so go easy on my naivety).  I am trying to configure
> the postgres host based configuration file to permit users to authenticate
> against our Active Directory.

OK. Never tried that myself, but let's see.

> Needless to say both Ubuntu server and AD are in the same Domain.
> .         I am running PostGRESQL v8.3.7 on a 64-Bit Ubuntu Hardy Heron Dell
> server with Apache 2.
> .         I am not running SSL.
> .         This work is happening on a LAN.  My AD server=master1 and the
> LAN=belfry.lan
>
> .         I installed Postgres as follow:
>
> o   # sudo apt-get install postgresql-8.3 postgresql-client-8.3
> postgresql-client-common postgresql-common

All good info. Grab yourself a copy of the source from postgresql.org
too when you have time. Always useful to have a copy. Oh and "ack" too
(package is "ack-grep" on Ubuntu I think) - it's an improved version of
grep.

> It runs just fine and I can create databases users and tables with no
> problems.
>
>
>
> Currently, the end of my pg_hba.conf file looks like:

Nothing leaping out at me here. One thing to be aware of is that PG will
try the first authentication method that matches host+db and not try any
further ones.

> I created a testuser and a test database.  The user, testuser exists in my
> Active directory with a different password.  I can connect as testuser to
> the DB via command line or via pgAdmin111 with the postgres password for
> testuser.  When I try to connect using the users LDAP password I always get:
>
> .         psql: FATAL:  password authentication failed for user testuser

Well, I'd expect LDAP to be mentioned somewhere. Using my source tree,
ack and might powers of C knowledge:

backend/libpq/auth.c

         case uaMD5:
         case uaCrypt:
         case uaPassword:
             errstr = gettext_noop("password authentication failed for
user \"%s\"");

Looks to me like we're still using md5/password, and indeed a few lines
down is the error we should be seeing:

#ifdef USE_LDAP
         case uaLDAP:
             errstr = gettext_noop("LDAP authentication failed for user
\"%s\"");
             break;
#endif   /* USE_LDAP */
         default:
             errstr = gettext_noop("authentication failed for user
\"%s\": invalid authentication method");
             break;

It also seems that if Ubuntu's installation didn't support ldap we'd see
the last error message.

I think your host must be matching the "password" line in pg_hba.conf

Oh - two more points.

1. I didn't see anything authentication-related in your logs either.
Plenty of connection startup stuff, but no auth.

2. Wireshark is a handy tool for this sort of thing. It's a network
analyser - point it at port 389 and see what it comes up with.

--
   Richard Huxton
   Archonet Ltd