Обсуждение: [ADMIN] Postgres user authentication with secure LDAP
Hi, I am trying to configure my Postgres server to use LDAP for authentication. My pg_hba.conf config line is: ldap ldapserver=ldaps://myldaps.company.com ldapport=636 ldaptls=1 ldapprefix="uid=" ldapsuffix=",ou=People,o=my.company.com" I queried the LDAP server successfully with the 'ldapsearch' tool with the same DN. However, I cannot get it to work successfullyon Postgres. I have ssl=on and all server and CA certs installed. Postgres version 9.5.6. Error log: could not initialize LDAP: No such file or directory LDAP authentication failed for user "user1" auth_failed, auth.c:288 --------------------------------------- Thanks for any helps. Ron
Hi Ron,
What OS is your server running, and what OS is your client running?I found that it was only possible to get clients from a Windows machine to authenticate via ldap against a server that was also running Windows. Hopefully someone else has more experience here than me.
On Thu, Aug 10, 2017 at 5:02 PM, Tang, Ronald K CIV FNMOC, N6 <ronald.k.tang@navy.mil> wrote:
Hi,
I am trying to configure my Postgres server to use LDAP for authentication. My pg_hba.conf config line is:
ldap ldapserver=ldaps://myldaps.company.com ldapport=636 ldaptls=1 ldapprefix="uid=" ldapsuffix=",ou=People,o=my. company.com"
I queried the LDAP server successfully with the 'ldapsearch' tool with the same DN. However, I cannot get it to work successfully on Postgres. I have ssl=on and all server and CA certs installed.
Postgres version 9.5.6.
Error log:
could not initialize LDAP: No such file or directory
LDAP authentication failed for user "user1"
auth_failed, auth.c:288
---------------------------------------
Thanks for any helps.
Ron
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Well, first off, you're on the wrong port for LDAPS://
From: pgsql-admin-owner@postgresql.org <pgsql-admin-owner@postgresql.org> on behalf of Jeffrey Shaw <shawjef3@gmail.com>
Sent: Thursday, August 10, 2017 4:57:51 PM
To: Tang, Ronald K CIV FNMOC, N6
Cc: pgsql-admin@postgresql.org
Subject: Re: [ADMIN] Postgres user authentication with secure LDAP
Sent: Thursday, August 10, 2017 4:57:51 PM
To: Tang, Ronald K CIV FNMOC, N6
Cc: pgsql-admin@postgresql.org
Subject: Re: [ADMIN] Postgres user authentication with secure LDAP
Hi Ron,
What OS is your server running, and what OS is your client running?I found that it was only possible to get clients from a Windows machine to authenticate via ldap against a server that was also running Windows. Hopefully someone else has more experience here than me.
On Thu, Aug 10, 2017 at 5:02 PM, Tang, Ronald K CIV FNMOC, N6 <ronald.k.tang@navy.mil> wrote:
Hi,
I am trying to configure my Postgres server to use LDAP for authentication. My pg_hba.conf config line is:
ldap ldapserver=ldaps://myldaps.company.com ldapport=636 ldaptls=1 ldapprefix="uid=" ldapsuffix=",ou=People,o=my. company.com"
I queried the LDAP server successfully with the 'ldapsearch' tool with the same DN. However, I cannot get it to work successfully on Postgres. I have ssl=on and all server and CA certs installed.
Postgres version 9.5.6.
Error log:
could not initialize LDAP: No such file or directory
LDAP authentication failed for user "user1"
auth_failed, auth.c:288
---------------------------------------
Thanks for any helps.
Ron
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Journyx, Inc.
7600 Burnet Road #300
Austin, TX 78757
www.journyx.com
Austin, TX 78757
www.journyx.com
p 512.834.8888
f 512-834-8858
Do you receive our promotional emails? Click here or visit http://journyx.com/communication-preferences to unsubscribe.
Greetings, * Jeffrey Shaw (shawjef3@gmail.com) wrote: > What OS is your server running, and what OS is your client running? Good question. > I found that it was only possible to get clients from a Windows machine to > authenticate via ldap against a server that was also running Windows. > Hopefully someone else has more experience here than me. That shouldn't be the case, so I'm curious as to what was going on there.. That said, I'd strongly recommend using GSSAPI/Kerberos if the environment is a Windows Active Directory one, as it's much more secure and works quite well. Thanks! Stephen
Вложения
On 8/10/17 17:02, Tang, Ronald K CIV FNMOC, N6 wrote: > I am trying to configure my Postgres server to use LDAP for authentication. My pg_hba.conf config line is: > > ldap ldapserver=ldaps://myldaps.company.com ldapport=636 ldaptls=1 ldapprefix="uid=" ldapsuffix=",ou=People,o=my.company.com" The ldapserver= attribute takes a host name, not a URL. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: [Non-DoD Source] Re: [ADMIN] Postgres user authentication withsecure LDAP
От
"Tang, Ronald K CIV FNMOC, N6"
Дата:
I am responding to all replies in this single email. Thanks for all your response. >> The ldapserver= attribute takes a host name, not a URL. Thanks. I tried that too. If I omit the ldaps:// the response is server not found. >> What OS is your server running, and what OS is your client running? RedHat Linux (RHEL 6), both client and server. Postgres 9.5.6 >> Well, first off, you're on the wrong port for LDAPS:// Default port for LDAPS:// is 636. I verified with "ldapsearch" tool that it works with that port. Thanks, Ron -----Original Message----- From: Peter Eisentraut [mailto:peter.eisentraut@2ndquadrant.com] Sent: Thursday, August 10, 2017 8:05 PM To: Tang, Ronald K CIV FNMOC, N6; pgsql-admin@postgresql.org Subject: [Non-DoD Source] Re: [ADMIN] Postgres user authentication with secure LDAP On 8/10/17 17:02, Tang, Ronald K CIV FNMOC, N6 wrote: > I am trying to configure my Postgres server to use LDAP for authentication. My pg_hba.conf config line is: > > ldap ldapserver=ldaps://myldaps.company.com ldapport=636 ldaptls=1 ldapprefix="uid=" ldapsuffix=",ou=People,o=my.company.com" The ldapserver= attribute takes a host name, not a URL. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Вложения
Re: [Non-DoD Source] Re: [ADMIN] Postgres user authentication withsecure LDAP
От
"Tang, Ronald K CIV FNMOC, N6"
Дата:
https://www.postgresql.org/docs/9.5/static/auth-methods.html#AUTH-LDAP "The ldaps URL scheme (direct SSL connection) is not supported." It doesn't appear "LDAPS" is supported in Postgres 9.5. ________________________________________ From: pgsql-admin-owner@postgresql.org [pgsql-admin-owner@postgresql.org] on behalf of Tang, Ronald K CIV FNMOC, N6 [ronald.k.tang@navy.mil] Sent: Friday, August 11, 2017 9:00 AM To: 'Peter Eisentraut'; 'pgsql-admin@postgresql.org' Subject: Re: [Non-DoD Source] Re: [ADMIN] Postgres user authentication with secure LDAP I am responding to all replies in this single email. Thanks for all your response. >> The ldapserver= attribute takes a host name, not a URL. Thanks. I tried that too. If I omit the ldaps:// the response is server not found. >> What OS is your server running, and what OS is your client running? RedHat Linux (RHEL 6), both client and server. Postgres 9.5.6 >> Well, first off, you're on the wrong port for LDAPS:// Default port for LDAPS:// is 636. I verified with "ldapsearch" tool that it works with that port. Thanks, Ron -----Original Message----- From: Peter Eisentraut [mailto:peter.eisentraut@2ndquadrant.com] Sent: Thursday, August 10, 2017 8:05 PM To: Tang, Ronald K CIV FNMOC, N6; pgsql-admin@postgresql.org Subject: [Non-DoD Source] Re: [ADMIN] Postgres user authentication with secure LDAP On 8/10/17 17:02, Tang, Ronald K CIV FNMOC, N6 wrote: > I am trying to configure my Postgres server to use LDAP for authentication. My pg_hba.conf config line is: > > ldap ldapserver=ldaps://myldaps.company.com ldapport=636 ldaptls=1 ldapprefix="uid=" ldapsuffix=",ou=People,o=my.company.com" The ldapserver= attribute takes a host name, not a URL. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
>> Default port for LDAPS:// is 636. I verified with "ldapsearch" tool that it works with that port.
Odd, in my integration work b/w Apache on Linux and Windows AD, it didn't work well with port 636. Yet, it did work well with port 3269.
Cheers,
-ar
On Fri, Aug 11, 2017 at 12:00 PM, Tang, Ronald K CIV FNMOC, N6 <ronald.k.tang@navy.mil> wrote:
I am responding to all replies in this single email. Thanks for all your response.
>> The ldapserver= attribute takes a host name, not a URL.
Thanks. I tried that too. If I omit the ldaps:// the response is server not found.
>> What OS is your server running, and what OS is your client running?
RedHat Linux (RHEL 6), both client and server. Postgres 9.5.6
>> Well, first off, you're on the wrong port for LDAPS://
Default port for LDAPS:// is 636. I verified with "ldapsearch" tool that it works with that port.
Thanks,
Ron
-----Original Message-----
From: Peter Eisentraut [mailto:peter.eisentraut@2ndquadrant.com]
Sent: Thursday, August 10, 2017 8:05 PM
To: Tang, Ronald K CIV FNMOC, N6; pgsql-admin@postgresql.org
Subject: [Non-DoD Source] Re: [ADMIN] Postgres user authentication with secure LDAP
On 8/10/17 17:02, Tang, Ronald K CIV FNMOC, N6 wrote:
> I am trying to configure my Postgres server to use LDAP for authentication. My pg_hba.conf config line is:
>
> ldap ldapserver=ldaps://myldaps.company.com ldapport=636 ldaptls=1 ldapprefix="uid=" ldapsuffix=",ou=People,o=my. company.com"
The ldapserver= attribute takes a host name, not a URL.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services