Обсуждение: Ldap config for Active Directory

Поиск
Список
Период
Сортировка

Ldap config for Active Directory

От
Sylvain Deveaux
Дата:
Hello community,

I'm using postgreSQL with docker image, most of them are postgres 14+Postgis

We have to use LDAP in our AD environment, Users could use Kerberos but service accounts used by Apps can't.

The problem that I'm facing is our different users are in different OUs, let's say we have two different OUs both at the root path of our AD

AdminOU and UserOU

Here my first working setup:

host all +ldap_roles 192.168.0.0/16 ldap ldapurl="ldap://ldap.service:636/ou=AdminOU,dc=domain,dc=org?sAMAccountName?sub" ldapbinddn="cn=postgres_bind,ou=level1,ou=level2,dc=domain,dc=org" ldapbindpasswd="password"

So all admin users can be 'seen' by postgres, auth is working well.

If I remove the AdminOU :  ldapurl="ldap://ldap.service:636/dc=domain,dc=org?sAMAccountName?sub"

Then I got a LdapBind error:

DETAIL:  LDAP diagnostics: 000004DC: LdapErr: DSID-0C0907E9, comment: In order to perform this operation a successful bind must be completed on the connection., data 0
, v2580


After multiple try and error I got something that is working, but for me it does have sense why it failed previously.. I had to :
  • Change the ldap port, to use the Global Catalog LDAP SSL 3269
  • To change the bind user syntax, and use user@domain

I tried All these options separately and only this combination is working

host all +ldap_roles 192.168.0.0/16 ldap ldapurl="ldap://ldap.service:3269/dc=domain,dc=org?sAMAccountName?sub" ldapbinddn="postgres_bind@domain.org" ldapbindpasswd="password"


Cheers,

Sylvain



 
Sylvain Deveaux
Senior Systems Engineer

+64-4-386-0861
+64-21-123-7933
National Institute of Water & Atmospheric Research Ltd (NIWA)
301 Evans Bay Parade, Greta Point Wellington New Zealand
Connect with NIWA: niwa.co.nz Facebook LinkedIn Twitter Instagram
To ensure compliance with legal requirements and to maintain cyber security standards, NIWA's IT systems are subject to ongoing monitoring, activity logging and auditing. This monitoring and auditing service may be provided by third parties. Such third parties can access information transmitted to, processed by and stored on NIWA's IT systems

Re: Ldap config for Active Directory

От
Stephen Frost
Дата:
Greetings,

* Sylvain Deveaux (Sylvain.Deveaux@niwa.co.nz) wrote:
> We have to use LDAP in our AD environment, Users could use Kerberos but service accounts used by Apps can't.

Why do you say that you can't use kerberos w/ apps?

> host all +ldap_roles 192.168.0.0/16 ldap
ldapurl="ldap://ldap.service:636/ou=AdminOU,dc=domain,dc=org?sAMAccountName?sub"
ldapbinddn="cn=postgres_bind,ou=level1,ou=level2,dc=domain,dc=org"ldapbindpasswd="password"
 

Note that using ldap auth means sending the user's password to the PG
server in cleartext, which is extremely insecure and means that a
compromised PG server could be used to steal the credentials of any user
logging in using this method.

Thanks,

Stephen
Вложения

Re: Ldap config for Active Directory

От
Sylvain Deveaux
Дата:
Why do you say that you can't use kerberos w/ apps?

I prefer to not reply to this one otherwise I won't be kind with some people... 😅️

Note that using ldap auth means sending the user's password to the PG
server in cleartext, which is extremely insecure and means that a
compromised PG server could be used to steal the credentials of any user
logging in using this method.

I agree... but for now I can't switch a to full Kerberos setup... 

On Thu, 2022-09-15 at 15:16 -0400, Stephen Frost wrote:
Greetings,

* Sylvain Deveaux (Sylvain.Deveaux@niwa.co.nz) wrote:
We have to use LDAP in our AD environment, Users could use Kerberos but service accounts used by Apps can't.

Why do you say that you can't use kerberos w/ apps?

host all +ldap_roles 192.168.0.0/16 ldap ldapurl="ldap://ldap.service:636/ou=AdminOU,dc=domain,dc=org?sAMAccountName?sub" ldapbinddn="cn=postgres_bind,ou=level1,ou=level2,dc=domain,dc=org" ldapbindpasswd="password"

Note that using ldap auth means sending the user's password to the PG
server in cleartext, which is extremely insecure and means that a
compromised PG server could be used to steal the credentials of any user
logging in using this method.

Thanks,

Stephen

Sylvain Deveaux
Senior Systems Engineer

+64-4-386-0861
+64-21-123-7933
National Institute of Water & Atmospheric Research Ltd (NIWA)
301 Evans Bay Parade, Greta Point Wellington New Zealand
Connect with NIWA: niwa.co.nz Facebook LinkedIn Twitter Instagram
To ensure compliance with legal requirements and to maintain cyber security standards, NIWA's IT systems are subject to ongoing monitoring, activity logging and auditing. This monitoring and auditing service may be provided by third parties. Such third parties can access information transmitted to, processed by and stored on NIWA's IT systems

Re: Ldap config for Active Directory

От
Stephen Frost
Дата:
Greetings,

* Sylvain Deveaux (Sylvain.Deveaux@niwa.co.nz) wrote:
> Why do you say that you can't use kerberos w/ apps?
>
> I prefer to not reply to this one otherwise I won't be kind with some people... 😅️

... ok, but let's try to make clear the distinction of "$people won't
let me do this" from "this isn't possible" when posting, as otherwise
people who read the lists may get misled or confused.

> Note that using ldap auth means sending the user's password to the PG
> server in cleartext, which is extremely insecure and means that a
> compromised PG server could be used to steal the credentials of any user
> logging in using this method.
>
> I agree... but for now I can't switch a to full Kerberos setup...

I'd suggest you push back a bit harder on this as it's much, much more
secure to use Kerberos and it's how all the various services in the AD
world operate.  Services that pass passwords around in cleartext are
really very insecure.

Thanks,

Stephen
Вложения