LDAP Binding Debugging
| От | Jonathan Kim-Hull |
|---|---|
| Тема | LDAP Binding Debugging |
| Дата | |
| Msg-id | DM8P223MB00629DFD2A6DCCB58CED60E3BBF19@DM8P223MB0062.NAMP223.PROD.OUTLOOK.COM обсуждение исходный текст |
| Список | pgadmin-support |
Good day,
New to pgadmin, loving it so far. Got it up and running. Now trying to bind to our AD using LDAP, Window Server 2016. Below is the following issue / error but I am not finding a good log or method for debugging the issue. Can anyone point me to where I need to look? I followed the info in https://www.pgadmin.org/docs/pgadmin4/5.5/ldap.html. I feel one thing in the future that would help is an example of this working. If I figure this out may post a blog on Medium to show what I did. I tested the Bind user and it can authenticate with the AD through LDAP. Thanks for any help.
python lib/python3.7/site-packages/pgadmin4/pgAdmin4.py
Starting pgAdmin 4. Please navigate to http://0.0.0.0:5050 in your browser.
2021-08-04 10:22:52,822: WARNING werkzeug: WebSocket transport not available. Install simple-websocket for improved performance.
* Serving Flask app "pgadmin" (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
2021-08-04 10:23:01,788: ERROR pgadmin: Error binding to the LDAP server.
Traceback (most recent call last):
File "/usr/share/nginx/pgadmin4/bin/.pgadmin4/lib/python3.7/site-packages/pgadmin4/pgadmin/authenticate/ldap.py", line 120, in connect
authentication=SIMPLE
File "/usr/share/nginx/pgadmin4/bin/.pgadmin4/lib/python3.7/site-packages/ldap3/core/connection.py", line 363, in __init__
self._do_auto_bind()
File "/usr/share/nginx/pgadmin4/bin/.pgadmin4/lib/python3.7/site-packages/ldap3/core/connection.py", line 412, in _do_auto_bind
raise LDAPBindError(error)
ldap3.core.exceptions.LDAPBindError: automatic bind not successful – invalidCredentials
lib/python3.7/site-packages/pgadmin4/config_local.py:
##########################################################################
# pgAdmin4 Server Configuration
##########################################################################
DEFAULT_SERVER = '0.0.0.0'
DEFAULT_SERVER_PORT = 5050
LOG_FILE = '/var/log/pgadmin4/pgadmin4.log'
SQLITE_PATH = '/usr/share/nginx/pgadmin4/pgadmin4.db'
SESSION_DB_PATH = '/usr/share/nginx/pgadmin4/sessions'
STORAGE_DIR = '/usr/share/nginx/pgadmin4/storage'
SERVER_MODE = True
##########################################################################
# Authentication Configuration
##########################################################################
AUTHENTICATION_SOURCES = ['ldap', 'internal']
##########################################################################
# LDAP Configuration
##########################################################################
# After ldap authentication, user will be added into the SQLite database
# automatically, if set to True.
# Set it to False, if user should not be added automatically,
# in this case Admin has to add the user manually in the SQLite database.
LDAP_AUTO_CREATE_USER = True
# Specifies the connection timeout (in seconds) for LDAP authentication.
LDAP_CONNECTION_TIMEOUT = 30
# Server connection details (REQUIRED)
# example: ldap://<ip-address>:<port> or ldap://<hostname>:<port>
LDAP_SERVER_URI = 'ldap://ldap.ourdomain.com:389'
# The LDAP attribute containing user names. In OpenLDAP, this may be 'uid'
# whilst in AD, 'sAMAccountName' might be appropriate. (REQUIRED)
LDAP_USERNAME_ATTRIBUTE = 'sAMAccountName'
##########################################################################
# 3 ways to configure LDAP as follows (Choose anyone):
# 1. Dedicated User binding
# LDAP Bind User DN Example: cn=username,dc=example,dc=com
# Set this parameter to allow the connection to bind using a dedicated user.
# After the connection is made, the pgadmin login user will be further
# authenticated by the username and password provided
# at the login screen.
LDAP_BIND_USER = 'OU=SVC_pgAdmin_Auth,OU=Users,OU=Accounts,OU=Corporate,DC=ourdomain,DC=com'
# LDAP Bind User Password
LDAP_BIND_PASSWORD = '…'
# OR ####################
# 2. Anonymous Binding
# Set this parameter to allow the anonymous bind.
# After the connection is made, the pgadmin login user will be further
# authenticated by the username and password provided
LDAP_ANONYMOUS_BIND = False
# OR ####################
# 3. Bind as pgAdmin user
# BaseDN (REQUIRED)
# AD example:
# (&(objectClass=user)(memberof=CN=MYGROUP,CN=Users,dc=example,dc=com))
# OpenLDAP example: CN=Users,dc=example,dc=com
#LDAP_BASE_DN = 'OU=Users,OU=Accounts,OU=Corporate,DC=ourdomain,DC=com'
#LDAP_BASE_DN = '(&(objectClass=domain user)(memberof=CN=Users,dc=ourdomain,dc=com))'
##########################################################################
# Search ldap for further authentication (REQUIRED)
# It can be optional while bind as pgAdmin user
#LDAP_SEARCH_BASE_DN = '<Search-Base-DN>'
# Filter string for the user search.
# For OpenLDAP, '(cn=*)' may well be enough.
# For AD, you might use '(objectClass=user)' (REQUIRED)
LDAP_SEARCH_FILTER = '(objectclass=*)'
#LDAP_SEARCH_FILTER = '(&(objectclass=domain user)(|(memberOf=OU=Users,OU=Accounts,OU=Corporate,DC=ourdomain,DC=com)))'
# Indicates the set of entries at or below the Base DN that maybe considered as·
# potential matches for a search request. You can specify the scope of a search·
# as either a base, level, or subtree search. A base search limits the search to·
# the base object. A level search is restricted to the immediate children of a·
# base object, but excludes the base object itself. A subtree search includes·
# all child objects as well as the base object.
# Search scope for users (one of BASE, LEVEL or SUBTREE)
LDAP_SEARCH_SCOPE = 'SUBTREE'
# Use TLS? If the URI scheme is ldaps://, this is ignored.
LDAP_USE_STARTTLS = False
# TLS/SSL certificates. Specify if required, otherwise leave empty
#LDAP_CA_CERT_FILE = ''
#LDAP_CERT_FILE = ''
#LDAP_KEY_FILE = ''
Jonathan
В списке pgadmin-support по дате отправления: