On Wed, Jan 6, 2021 at 3:38 PM Paul Förster <paul.foerster@gmail.com> wrote:
>
> Hi,
>
> can I use more than one LDAP server entry in pg_hba.conf? My tests show that only the first one is used.
>
> Example:
>
> ldap1.domain contains user1, user2
> ldap2.another.domain contains user3, user4
>
> All 4 users have an account in a PostgreSQL cluster.
>
> ldap1 is openLDAP and ldap2 is Windows AD. Both naturally have different parameters/options and as such require two
differentlines in pg_hba.conf.
>
> If I connect as user1 or user2, it works. If I try to connect as user3 or user4, it fails because ldap1 reports the
useras non-existent, which is correct for ldap1. But in this case, ldap2 is never asked.
>
> How can I solve this dilemma?
Only if you can create rules in your pg_hba.conf file that knows where
the users are. You can specify multiple servers on one line, but that
only balances across servers that don't work. If a server replies "no"
to a response, PostgreSQL will not move on to the next one. So you
have to make it initially pick the correct rule.
And what would you do if user5 exists in both the two ldap servers?
One hacky way you could do it is create a group role for each server,
maintained by some cron job, that indicates with LDAP server the user
is on. You can then use group matching to pick the correct rule in
pg_hba. It's kind of an ugly hack though..
You'd probably be better off to have a federated ldap server that has
a view of both servers, and use that.
Or even better, since one of your nodes is AD, it speaks Kerberos.
Setting up a Kerberos trust between the two environments would make it
possible to do things like regexp matching on the realm in
pg_ident.conf, and as a bonus you get Kerberos which is a lot more
secure than ldap for auth.. It might have a slightly higher barrier
of entry, but could probably pay off well in a case like this.
--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/