Re: LDAPS trusted ca support

For the records, to avoid setting more permissions to ldap.conf, it enough
to add the following line

Environment=LDAPTLS_CACERT=/var/lib/pgsql/12/data/my-root-ca.pem

To the systemd's postgresql-12.service file!

Thanks again,

Il giorno lun 2 dic 2019 alle ore 14:13 Marco Cuccato <
mcuccato(dot)vts(at)gmail(dot)com> ha scritto:

> Thanks Thomas,
> your suggestions put me on the right way.
> I was performing the ldapsearch as root and not as the postgresql user,
> that is the user that run postgres service.
> Thanks to ldapsearch debug, I found that this user was not able to read
> the /etc/openldap/ldap.conf file, which contains the TLS configuration
> properties such as TLS_CACERT, TLS_CACERTDIR and TLS_CACERTFILE that points
> to the needed self-signed certificate.
> After letting postgres user to read this file, the ldap authentication
> works.
> Just a precisation: ldapscheme=ldap with ldaptls=1 works, any other
> combination does not work.
> Thank you very much,
> Marco
>
> Il giorno lun 25 nov 2019 alle ore 22:33 Thomas Munro <
> thomas(dot)munro(at)gmail(dot)com> ha scritto:
>
>> On Tue, Nov 26, 2019 at 4:35 AM Marco Cuccato <mcuccato(dot)vts(at)gmail(dot)com>
>> wrote:
>> > Ok sorry for the mail before I misunderstood your suggestion.
>> > I verified the ldap.conf file and the TLS_CACERT parameter points to a
>> PEM file which already contains the certificate that signs the LDAP server
>> certificate.
>>
>> Here are some things I'd check: When you used the ldapsearch command,
>> did you use -ZZ? (Just -Z means something like try to use SSL but
>> don't worry if it doesn't work; -ZZ requires it to work). Does the
>> "postgres" user (assuming the RHEL packages use that to run
>> PostgreSQL) have permissions to read the files it needs to read? If
>> you become that user with su - postgres, can you use the "ldapsearch"
>> command successfully? If you do strace -f -p [postmaster], and then
>> try to log in with your LDAP-authenticated user, does it give you a
>> clue about what files it is accessing or failing to access, and then
>> if you compare "strace ldapsearch ...", does that give you a clue
>> about what is different? If you do ldd /path/to/postgres and ldd
>> /path/to/ldapsearch can you see that they're both using the same
>> libldap-XXX.so.Y (if they were using different OpenLDAP client
>> libraries they might have different .conf paths compiled into them)?
>>
>