Обсуждение: PostgreSQL 9.0 authentication against LDAP/AD
Hello,
I am trying to authenticate PostgreSQL 9.0 login roles against LDAP/Active directory (AD). PostgreSQL 9.0 is installed on a Windows 2008 R2 64bit. My pg_hba.conf setting looks like the following:
host <db> <user> samenet ldap ldapserver=<server.domain.net.com> ldapprefix="DOMAIN\"
I am populating the <db>, <user>, <server.domain.net.com>, and DOMAIN with real values.
When I use the following psql command I get an error:
C:\Windows\System32>psql -d <db> -U <user> -W
Password for user <user>:
psql: FATAL: password authentication failed for user "<user>"
I have added the <user> to the login role and the user exists in AD.
If I use pyscopg2 (a python module that is commonly used for PostgreSQL interaction), I can actually connect to the database using the settings specified in the pg_hba.conf file shown above. If I use a false username, the script fails. Therefore the script is behaving as I would expect, but I am confussed why psql is behaving differently.
Questions:
1. Does my pg_hba.conf setting seem correct?
2. If my pg_hba.conf setup is correct, why is psql failing (does not fail using a second user specified in db that authenticates with password)? I also tried specifying ldapport, but this was causing a failure in postgres reading the conf. I am able to use the same command on different databases and for different users and this works.
3. Is the transfer of the password automatically encrypted? I read in a blog that using LDAP does not encrypt and I need to use SSL. I tried using ldaptls=1 but this was causing a failure in postgres reading the conf.
4. There is some documentation I have found online on how to set this up but most of the examples/blogs were not helping me to work though this.
Thank you for any help you can provide.
mike
- - - - - - - - - - - - - - - - - - - - - - - - - -
Michael O'Donnell
Phone: 970.226.9407
Fax: 970.226.9230
Email: odonnellm@usgs.gov
United States Geological Survey/BRD
Fort Collins Science Center
2150 Centre Ave., Bldg C
Fort Collins, CO 80526
I am trying to authenticate PostgreSQL 9.0 login roles against LDAP/Active directory (AD). PostgreSQL 9.0 is installed on a Windows 2008 R2 64bit. My pg_hba.conf setting looks like the following:
host <db> <user> samenet ldap ldapserver=<server.domain.net.com> ldapprefix="DOMAIN\"
I am populating the <db>, <user>, <server.domain.net.com>, and DOMAIN with real values.
When I use the following psql command I get an error:
C:\Windows\System32>psql -d <db> -U <user> -W
Password for user <user>:
psql: FATAL: password authentication failed for user "<user>"
I have added the <user> to the login role and the user exists in AD.
If I use pyscopg2 (a python module that is commonly used for PostgreSQL interaction), I can actually connect to the database using the settings specified in the pg_hba.conf file shown above. If I use a false username, the script fails. Therefore the script is behaving as I would expect, but I am confussed why psql is behaving differently.
Questions:
1. Does my pg_hba.conf setting seem correct?
2. If my pg_hba.conf setup is correct, why is psql failing (does not fail using a second user specified in db that authenticates with password)? I also tried specifying ldapport, but this was causing a failure in postgres reading the conf. I am able to use the same command on different databases and for different users and this works.
3. Is the transfer of the password automatically encrypted? I read in a blog that using LDAP does not encrypt and I need to use SSL. I tried using ldaptls=1 but this was causing a failure in postgres reading the conf.
4. There is some documentation I have found online on how to set this up but most of the examples/blogs were not helping me to work though this.
Thank you for any help you can provide.
mike
- - - - - - - - - - - - - - - - - - - - - - - - - -
Michael O'Donnell
Phone: 970.226.9407
Fax: 970.226.9230
Email: odonnellm@usgs.gov
United States Geological Survey/BRD
Fort Collins Science Center
2150 Centre Ave., Bldg C
Fort Collins, CO 80526
Michael,
* Michael O'Donnell (odonnellm@usgs.gov) wrote:
> I am trying to authenticate PostgreSQL 9.0 login roles against LDAP/Active
> directory (AD). PostgreSQL 9.0 is installed on a Windows 2008 R2 64bit. My
> pg_hba.conf setting looks like the following:
My first reaction to this, to be honest, is to ask why you're using
LDAP-based authentication instead of SSPI/Kerberos-based authentication?
Kerberos is supported and is a much better protocol that would, among
other things, prevent the server from ever seeing an individual user's
password.
> When I use the following psql command I get an error:
> C:\Windows\System32>psql -d <db> -U <user> -W
> Password for user <user>:
> psql: FATAL: password authentication failed for user "<user>"
Since it works with a different user, I wonder if there's some issue
just passing the username on the command-line; are you sure that the
user shown in the error from psql matches what you're passing in? Have
you checked the PostgreSQL server logs? Do you have anything in
pg_ident.conf?
> I have added the <user> to the login role and the user exists in AD.
Not quite sure what you mean, exactly, by having the user added to the
'login' role, but you definitely want to make sure that the 'LOGIN'
attribute is set for the role; eg: ALTER ROLE user WITH LOGIN;
> If I use pyscopg2 (a python module that is commonly used for PostgreSQL
> interaction), I can actually connect to the database using the settings
> specified in the pg_hba.conf file shown above. If I use a false username,
> the script fails. Therefore the script is behaving as I would expect, but
> I am confussed why psql is behaving differently.
This definitely makes me wonder if there's something weird with the user
being passed on the command-line that's causing the issue.
> 3. Is the transfer of the password automatically encrypted? I read in a
> blog that using LDAP does not encrypt and I need to use SSL. I tried using
> ldaptls=1 but this was causing a failure in postgres reading the conf.
More specifics about this would help- the exact pg_hba.conf line, the
exact error from the server logs, etc. Of course, just moving to
Kerberos-based authentication would simplify this whole thing and remove
all the LDAP fun..
Thanks,
Stephen
Вложения
Michael O'Donnell wrote... > > I am trying to authenticate PostgreSQL 9.0 login roles against LDAP/Active directory (AD). PostgreSQL 9.0 is installedon a Windows 2008 R2 64bit. My pg_hba.conf setting looks like the following: > > host <db> <user> samenet ldap ldapserver=<server.domain.net.com> ldapprefix="DOMAIN\" > I am populating the <db>, <user>, <server.domain.net.com>, and DOMAIN with real values. > > When I use the following psql command I get an error: > C:\Windows\System32>psql -d <db> -U <user> -W > Password for user <user>: > psql: FATAL: password authentication failed for user "<user>" As far as I can see, that error indicates that it is not even attempting to use LDAP authentication. It would have said "psql:FATAL: LDAP authentication failed for user ..." if it had been using the "ldap" method. Kind Regards Hazel Smith Database Administrator Cromwell Tools ___________________________________________________ This email is intended for the named recipient. The information contained in it is confidential. You should not copy it for any purposes, nor disclose its contents to any other party. If you received this email in error, please notify the sender immediately via email, and delete it from your computer. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. PCI Compliancy: Please note, we do not send or wish to receive banking, credit or debit card information by email or any other form of communication. Please try our new on-line ordering system at http://www.cromwell.co.uk/ice Cromwell Tools Limited, PO Box 14, 65 Chartwell Drive Wigston, Leicester LE18 1AT. Tel 0116 2888000 Registered in England and Wales, Reg No 00986161 VAT GB 115 5713 87 900 __________________________________________________