RE: BUG #16234: LDAP Query

Hi Sujith,

* PG Bug reporting form (noreply(at)postgresql(dot)org) wrote:
> > I have a requirement to do authentication through LDAP, the LDAP query
> > should go to two different LDAP servers with dedicated binding users (
> > different for two LDAP servers) , if the user is not available in
> > first LDAP then it should check in second LDAP. But here as per hba
> > file , it won't work in this model ( If there is no successful search
> > in first hope, it will throw error).
> >
> > So we have to do multiple query in the LDAP query string, how we can
> > do this?
>
> What kind of setup is this, that you have two LDAP servers involved..?
> That's certainly not a common setup that I've seen..

I have seen his type of setup before when companies have two different LDAP servers.
One LDAP Server for Employees
One LDAP Server for Non-Employees and System Accounts

The way to make this work, is to pick one of the groups of people and create a Postgres group and add all those users to that group. Let's call the Postgres group ldap1_group.

You now need to duplicate each line in your pg_hba.conf file. The first line you will point to ldap1 and the second line you will point to ldap2. Then in the first line update the user field where you might normally have "all" to "+ldap1_group". The + tells Postgres that this is a group and to use this authentication method for everybody in that Postgres group.

Hope this helps,
Lloyd Albin