Re: LDAP Authentication

Taha Ozket wrote:
> Hi,
>
> I have a ldap group, "pgsql-developers". I have an user (user1) member
> of this group;
>
> group
> dn: cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x
> objectClass: groupOfUniqueNames
> objectClass: top
> cn: SVN Committers
> uniqueMember: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x
>
> user
> dn: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x
> objectClass: person
> objectClass: top
> objectClass: uidObject
> cn:: Denem1
> sn:: Deneme2
> uid: user1
> userPassword:: e01ENX10WnhudnhscVIxZ1pIa0wzWm5ET3VnPT0=
>
> I added this line to pg_hba.conf [1]
>
> host all all 172.20.0.0/16 ldap
> "ldap://localhost/basedn;cn=;,cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x"
>
> But now postgresql requires my user1 must be define under
> cn=pgsql-developers,ou=Groups.. But I want to give login permission to
> pgsql-developers members.
>
> How can I change this line for give login permission to
> pgsql-developers members?

This is not something you currently can do. We can only do LDAP
authentication, not authorization. There's no way to restrict it to a
particular group.

One way to accomplish what you're trying to do is to have a script that
synchronizes the members of the group to PostgreSQL accounts (account
name and role membership only), and still use LDAP for authentication.
It doesn't work in every case, but it does work in most.

//Magnus