Thanks Thomas,
your suggestions put me on the right way.
I was performing the ldapsearch as root and not as the postgresql user, that is the user that run postgres service.
Thanks to ldapsearch debug, I found that this user was not able to read the /etc/openldap/ldap.conf file, which contains the TLS configuration properties such as TLS_CACERT, TLS_CACERTDIR and TLS_CACERTFILE that points to the needed self-signed certificate.
After letting postgres user to read this file, the ldap authentication works.
Just a precisation: ldapscheme=ldap with ldaptls=1 works, any other combination does not work.
Thank you very much,
Marco
On Tue, Nov 26, 2019 at 4:35 AM Marco Cuccato <mcuccato.vts@gmail.com> wrote:
> Ok sorry for the mail before I misunderstood your suggestion.
> I verified the ldap.conf file and the TLS_CACERT parameter points to a PEM file which already contains the certificate that signs the LDAP server certificate.
Here are some things I'd check: When you used the ldapsearch command,
did you use -ZZ? (Just -Z means something like try to use SSL but
don't worry if it doesn't work; -ZZ requires it to work). Does the
"postgres" user (assuming the RHEL packages use that to run
PostgreSQL) have permissions to read the files it needs to read? If
you become that user with su - postgres, can you use the "ldapsearch"
command successfully? If you do strace -f -p [postmaster], and then
try to log in with your LDAP-authenticated user, does it give you a
clue about what files it is accessing or failing to access, and then
if you compare "strace ldapsearch ...", does that give you a clue
about what is different? If you do ldd /path/to/postgres and ldd
/path/to/ldapsearch can you see that they're both using the same
libldap-XXX.so.Y (if they were using different OpenLDAP client
libraries they might have different .conf paths compiled into them)?