Re: Using LDAP with postgresql 8.2

Hi,

I have made some progress on this, in that I've managed to get LDAP authentication working, but not quite as I expected.

I found out that the Canonical Name in AD was set to "PG Test" for the account name "pgtest".

If I add "PG Test" as the user in pg_hba.conf and create a login "PG Test" (matching case) and then try to login using LDAP authentication as follows: -

psql -h hostname -p 5432 -d dbname -U "PG Test"

This works and allows me to login to the database!

So Postgresql is matching the Username from psql client to the CN (canonical name) in Active Directory.

The problem now is that we need to match the username to the Account name in AD, we can't change the CN's in AD just to match what Postgresql needs, because so many other applications authenticate against AD...

Is there any way of mapping CN's to Postgresql username's?? Has anybody else encountered this same problem and have you managed to get round it?

Regards.

Date: Fri, 29 Oct 2010 07:12:04 +0200
From: geza(at)kzsdabas(dot)hu
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: [ADMIN] Using LDAP with postgresql 8.2

Message body

Hi,

I'm not an AD expert myself, but I've read somewhere, that AD disallows
simple binds without using ssl.

You could try enabling ssl on AD, or try the krb5 authentication method
for pg.

Good Luck

Geza

I've setup LDAP on Postgresql 8.3.6 by adding the following line to
pg_hba.conf. My Active Directory has a group called 'users group' which
contains an entry for user pgtest.

host all pgtest xx.xxx.x.x/xx ldap
"ldap://server.mydomain.com:389/basedn;cn=;,ou=users
group,dc=mydomain,dc=com"

I have restarted the PG server but when I try to connect via psql from
another host, I get the following error: -

2010-10-28 16:30:36 BST [1095]: [2-1] FATAL: LDAP authentication
failed for user "pgtest"

2010-10-28 16:30:36 BST [1096]: [1-1] LOG: LDAP login failed for user
"cn=pgtest,ou=users group,dc=mydomain,dc=com" on server
"server.mydomain.com": error code 49

So it looks like the cn, ou and dc parameters are correct, but for some
reason Openldap is returning error 49, which is a generic
authentication failure message.

Can anyone suggest anything that I might be doing wrong? Could it be
the line in pg_hba.conf that is wrong, or possibly the ldap package on
the server (debian linux) not working

properly?

Any ideas much appreciated!

From: kierenscott(at)hotmail(dot)com

To: pgsql-admin(at)postgresql(dot)org

Subject: Using LDAP with postgresql 8.2

Date: Wed, 27 Oct 2010 17:57:32 +0000

Hi,

I'm looking to implement LDAP authentication againt Active Directory
for my

Postgresql databases. What's people experiences of using LDAP for
authenticating logins with AD?

Is it easy to setup and is there anything to watch out for e.g. does
Postgresql do anything

intrusive on Active Directory (create anything) or does it just simply
bind to AD, validate the

username/password pair and return success/failure back to the client?

Many thanks!