Обсуждение: Ldap config for Active Directory
Hello community,
I'm using postgreSQL with docker image, most of them are postgres 14+Postgis
We have to use LDAP in our AD environment, Users could use Kerberos but service accounts used by Apps can't.
The problem that I'm facing is our different users are in different OUs, let's say we have two different OUs both at the root path of our AD
AdminOU and UserOU
Here my first working setup:
host all +ldap_roles 192.168.0.0/16 ldap ldapurl="ldap://ldap.service:636/ou=AdminOU,dc=domain,dc=org?sAMAccountName?sub" ldapbinddn="cn=postgres_bind,ou=level1,ou=level2,dc=domain,dc=org" ldapbindpasswd="password"
So all admin users can be 'seen' by postgres, auth is working well.
If I remove the AdminOU : ldapurl="ldap://ldap.service:636/dc=domain,dc=org?sAMAccountName?sub"
Then I got a LdapBind error:
DETAIL: LDAP diagnostics: 000004DC: LdapErr: DSID-0C0907E9, comment: In order to perform this operation a successful bind must be completed on the connection., data 0
, v2580
, v2580
After multiple try and error I got something that is working, but for me it does have sense why it failed previously.. I had to :
- Change the ldap port, to use the Global Catalog LDAP SSL 3269
- To change the bind user syntax, and use user@domain
I tried All these options separately and only this combination is working
host all +ldap_roles 192.168.0.0/16 ldap ldapurl="ldap://ldap.service:3269/dc=domain,dc=org?sAMAccountName?sub" ldapbinddn="postgres_bind@domain.org" ldapbindpasswd="password"
Cheers,
Sylvain
Greetings, * Sylvain Deveaux (Sylvain.Deveaux@niwa.co.nz) wrote: > We have to use LDAP in our AD environment, Users could use Kerberos but service accounts used by Apps can't. Why do you say that you can't use kerberos w/ apps? > host all +ldap_roles 192.168.0.0/16 ldap ldapurl="ldap://ldap.service:636/ou=AdminOU,dc=domain,dc=org?sAMAccountName?sub" ldapbinddn="cn=postgres_bind,ou=level1,ou=level2,dc=domain,dc=org"ldapbindpasswd="password" Note that using ldap auth means sending the user's password to the PG server in cleartext, which is extremely insecure and means that a compromised PG server could be used to steal the credentials of any user logging in using this method. Thanks, Stephen
Вложения
Why do you say that you can't use kerberos w/ apps?
I prefer to not reply to this one otherwise I won't be kind with some people... 😅️
Note that using ldap auth means sending the user's password to the PGserver in cleartext, which is extremely insecure and means that acompromised PG server could be used to steal the credentials of any userlogging in using this method.
I agree... but for now I can't switch a to full Kerberos setup...
On Thu, 2022-09-15 at 15:16 -0400, Stephen Frost wrote:
Greetings,* Sylvain Deveaux (Sylvain.Deveaux@niwa.co.nz) wrote:We have to use LDAP in our AD environment, Users could use Kerberos but service accounts used by Apps can't.Why do you say that you can't use kerberos w/ apps?host all +ldap_roles 192.168.0.0/16 ldap ldapurl="ldap://ldap.service:636/ou=AdminOU,dc=domain,dc=org?sAMAccountName?sub" ldapbinddn="cn=postgres_bind,ou=level1,ou=level2,dc=domain,dc=org" ldapbindpasswd="password"Note that using ldap auth means sending the user's password to the PGserver in cleartext, which is extremely insecure and means that acompromised PG server could be used to steal the credentials of any userlogging in using this method.Thanks,Stephen
Greetings, * Sylvain Deveaux (Sylvain.Deveaux@niwa.co.nz) wrote: > Why do you say that you can't use kerberos w/ apps? > > I prefer to not reply to this one otherwise I won't be kind with some people... 😅️ ... ok, but let's try to make clear the distinction of "$people won't let me do this" from "this isn't possible" when posting, as otherwise people who read the lists may get misled or confused. > Note that using ldap auth means sending the user's password to the PG > server in cleartext, which is extremely insecure and means that a > compromised PG server could be used to steal the credentials of any user > logging in using this method. > > I agree... but for now I can't switch a to full Kerberos setup... I'd suggest you push back a bit harder on this as it's much, much more secure to use Kerberos and it's how all the various services in the AD world operate. Services that pass passwords around in cleartext are really very insecure. Thanks, Stephen