Обсуждение: Disable /Suppress hostname checks while secured LDAP
Hello All,
Is there a way to disable/suppress hostname checks in while using Secured LDAP in postgreSQL for authentication.
The issue what we have is that the LDAP certificate what we are using is working for fully qualified named of the domain but not when we use a direct LDAP server in the pg_ba.conf file.
For example:
This works - ldapserver="ldaps//dummy.company.com"
This doesnt work - ldapserver="server1.dummy.company.com"
Our internal LDAP team says that we nees to disable/suppress the hostname checking on the postgreSQL side for the 2nd option to work.
Does anyone have an idea on how we can suppress hostnames check while using Secured LDAP.
Thanks ,
Sathesh
Hi satheesh,
Instead of ldap authentication method you can also use other methods like md5, and if it's trusted server u can use trust authentication method etc. Please refer the documentation regarding different authentication methods in pg_hba.conf file
On Feb 14, 2018 12:27 PM, "Sathesh S" <sathesh.sundaram@hotmail.com> wrote:
Hello All,Is there a way to disable/suppress hostname checks in while using Secured LDAP in postgreSQL for authentication.The issue what we have is that the LDAP certificate what we are using is working for fully qualified named of the domain but not when we use a direct LDAP server in the pg_ba.conf file.For example:Our internal LDAP team says that we nees to disable/suppress the hostname checking on the postgreSQL side for the 2nd option to work.Does anyone have an idea on how we can suppress hostnames check while using Secured LDAP.Thanks ,Sathesh
Hi Pavan,
We have to use LDAP to comply with our standards. Any suggestions on suppressing hostname check would be helpful.
Thanks,
Sathesh
From: Pavan Teja <pavan.postgresdba@gmail.com>
Sent: Wednesday, February 14, 2018 12:52:10 PM
To: Sathesh S
Cc: pgsql-admin@postgresql.org
Subject: Re: Disable /Suppress hostname checks while secured LDAP
Sent: Wednesday, February 14, 2018 12:52:10 PM
To: Sathesh S
Cc: pgsql-admin@postgresql.org
Subject: Re: Disable /Suppress hostname checks while secured LDAP
Hi satheesh,
Instead of ldap authentication method you can also use other methods like md5, and if it's trusted server u can use trust authentication method etc. Please refer the documentation regarding different authentication methods in pg_hba.conf file
On Feb 14, 2018 12:27 PM, "Sathesh S" <sathesh.sundaram@hotmail.com> wrote:
Hello All,Is there a way to disable/suppress hostname checks in while using Secured LDAP in postgreSQL for authentication.The issue what we have is that the LDAP certificate what we are using is working for fully qualified named of the domain but not when we use a direct LDAP server in the pg_ba.conf file.For example:Our internal LDAP team says that we nees to disable/suppress the hostname checking on the postgreSQL side for the 2nd option to work.Does anyone have an idea on how we can suppress hostnames check while using Secured LDAP.Thanks ,Sathesh
Greetings, * Sathesh S (sathesh.sundaram@hotmail.com) wrote: > Is there a way to disable/suppress hostname checks in while using Secured LDAP in postgreSQL for authentication. > > The issue what we have is that the LDAP certificate what we are using is working for fully qualified named of the domainbut not when we use a direct LDAP server in the pg_ba.conf file. > > For example: > This works - ldapserver="ldaps//dummy.company.com" > > This doesnt work - ldapserver="server1.dummy.company.com" > > Our internal LDAP team says that we nees to disable/suppress the hostname checking on the postgreSQL side for the 2nd optionto work. > > Does anyone have an idea on how we can suppress hostnames check while using Secured LDAP. This really isn't recommended because the point of the hostname check is to verify that you're actually talking to the server you intended to. What LDAP server are you using though..? If this is in an Active Directory environment, or any environment where you have Kerberos available, then you should be using Kerberos and *not* using LDAP (or even LDAPS) for authentication as it isn't nearly as secure. Thanks! Stephen
Вложения
Thanks for the input Stephen, we are using active directory.
- Sathesh
From: Stephen Frost <sfrost@snowman.net>
Sent: Wednesday, February 14, 2018 7:51:06 PM
To: Sathesh S
Cc: pgsql-admin@postgresql.org
Subject: Re: Disable /Suppress hostname checks while secured LDAP
Sent: Wednesday, February 14, 2018 7:51:06 PM
To: Sathesh S
Cc: pgsql-admin@postgresql.org
Subject: Re: Disable /Suppress hostname checks while secured LDAP
Greetings,
* Sathesh S (sathesh.sundaram@hotmail.com) wrote:
> Is there a way to disable/suppress hostname checks in while using Secured LDAP in postgreSQL for authentication.
>
> The issue what we have is that the LDAP certificate what we are using is working for fully qualified named of the domain but not when we use a direct LDAP server in the pg_ba.conf file.
>
> For example:
> This works - ldapserver="ldaps//dummy.company.com"
>
> This doesnt work - ldapserver="server1.dummy.company.com"
>
> Our internal LDAP team says that we nees to disable/suppress the hostname checking on the postgreSQL side for the 2nd option to work.
>
> Does anyone have an idea on how we can suppress hostnames check while using Secured LDAP.
This really isn't recommended because the point of the hostname check is
to verify that you're actually talking to the server you intended to.
What LDAP server are you using though..? If this is in an Active
Directory environment, or any environment where you have Kerberos
available, then you should be using Kerberos and *not* using LDAP (or
even LDAPS) for authentication as it isn't nearly as secure.
Thanks!
Stephen
* Sathesh S (sathesh.sundaram@hotmail.com) wrote:
> Is there a way to disable/suppress hostname checks in while using Secured LDAP in postgreSQL for authentication.
>
> The issue what we have is that the LDAP certificate what we are using is working for fully qualified named of the domain but not when we use a direct LDAP server in the pg_ba.conf file.
>
> For example:
> This works - ldapserver="ldaps//dummy.company.com"
>
> This doesnt work - ldapserver="server1.dummy.company.com"
>
> Our internal LDAP team says that we nees to disable/suppress the hostname checking on the postgreSQL side for the 2nd option to work.
>
> Does anyone have an idea on how we can suppress hostnames check while using Secured LDAP.
This really isn't recommended because the point of the hostname check is
to verify that you're actually talking to the server you intended to.
What LDAP server are you using though..? If this is in an Active
Directory environment, or any environment where you have Kerberos
available, then you should be using Kerberos and *not* using LDAP (or
even LDAPS) for authentication as it isn't nearly as secure.
Thanks!
Stephen
Greetings Sathesh, * Sathesh S (sathesh.sundaram@hotmail.com) wrote: > Thanks for the input Stephen, we are using active directory. You should definitely be using Kerberos then and *not* LDAP for authentication in an Active Directory environment. Thanks! Stephen