From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Tom Robst <tomrobst(at)thermocable(dot)com> |
Cc: | pgsql-general <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: LDAP Login Problem |
Date: | 2010-03-03 15:18:38 |
Message-ID: | 9837222c1003030718h1f4fc82dtf0d72e138bb942d4@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
2010/3/3 Tom Robst <tomrobst(at)thermocable(dot)com>:
> Hi,
>
> I am having a problem with authentication using LDAP on PostgreSQL 8.4.2.
>
> The problem seems to be limited to which attribute is specified in the ldapprefix. If I specify "uid=" and then try login using the username "trobst" (which is the value in the ldap db) I get an error:
>
> host all all 192.168.1.0/24 ldap ldapserver=ldap.thermocable.com ldapprefix="uid=" ldapsuffix=",cn=Staff,dc=thermocable,dc=com"
>
> LOG: LDAP login failed for user
> "uid=trobst,cn=Staff,dc=thermocable,dc=com" on server
> "ldap.thermocable.com": error code 49
> FATAL: LDAP authentication failed for user "trobst"
>
> However if I specify the ldapprefix to be "cn=" and login using the username "Tom Robst" it all works fine.
>
> host all all 192.168.1.0/24 ldap ldapserver=ldap.thermocable.com ldapprefix="cn=" ldapsuffix=",cn=Staff,dc=thermocable,dc=com"
The LDAP authentication needs to bind with the full DN, which is
"cn=...". Specifying uid= doesn't make it a valid LDAP distinguished
name. So unless your LDAP server is "tricky" (like the Microsoft one,
which accepts both DN and "DOMAIN\username" in the login packet),
there's nothing you can do I think. (well, you can also change all
your DNs in the LDAP catalog, but that's likely to break a lot of
other things)
PostgreSQL 9.0 will allow you do do a search+bind to get the
functionality you want. The change should be fairly standalone so you
could probably have it backpatched if it's urgent for you, but since
it's a new feature it's not something the community backpatches.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2010-03-03 15:19:46 | Re: How to grant a user read-only access to a database? |
Previous Message | Thom Brown | 2010-03-03 15:06:21 | Re: How to grant a user read-only access to a database? |