| From: | Marco Cuccato <mcuccato(dot)vts(at)gmail(dot)com> |
|---|---|
| To: | Thomas Munro <thomas(dot)munro(at)gmail(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: LDAPS trusted ca support |
| Date: | 2019-12-02 13:13:37 |
| Message-ID: | CACg0f4bnvrFaY0vRy-5eyJ+3hYQZPDJ_u=YZTWYe2M8n-rkkpA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Thanks Thomas,
your suggestions put me on the right way.
I was performing the ldapsearch as root and not as the postgresql user,
that is the user that run postgres service.
Thanks to ldapsearch debug, I found that this user was not able to read the
/etc/openldap/ldap.conf file, which contains the TLS configuration
properties such as TLS_CACERT, TLS_CACERTDIR and TLS_CACERTFILE that points
to the needed self-signed certificate.
After letting postgres user to read this file, the ldap authentication
works.
Just a precisation: ldapscheme=ldap with ldaptls=1 works, any other
combination does not work.
Thank you very much,
Marco
Il giorno lun 25 nov 2019 alle ore 22:33 Thomas Munro <
thomas(dot)munro(at)gmail(dot)com> ha scritto:
> On Tue, Nov 26, 2019 at 4:35 AM Marco Cuccato <mcuccato(dot)vts(at)gmail(dot)com>
> wrote:
> > Ok sorry for the mail before I misunderstood your suggestion.
> > I verified the ldap.conf file and the TLS_CACERT parameter points to a
> PEM file which already contains the certificate that signs the LDAP server
> certificate.
>
> Here are some things I'd check: When you used the ldapsearch command,
> did you use -ZZ? (Just -Z means something like try to use SSL but
> don't worry if it doesn't work; -ZZ requires it to work). Does the
> "postgres" user (assuming the RHEL packages use that to run
> PostgreSQL) have permissions to read the files it needs to read? If
> you become that user with su - postgres, can you use the "ldapsearch"
> command successfully? If you do strace -f -p [postmaster], and then
> try to log in with your LDAP-authenticated user, does it give you a
> clue about what files it is accessing or failing to access, and then
> if you compare "strace ldapsearch ...", does that give you a clue
> about what is different? If you do ldd /path/to/postgres and ldd
> /path/to/ldapsearch can you see that they're both using the same
> libldap-XXX.so.Y (if they were using different OpenLDAP client
> libraries they might have different .conf paths compiled into them)?
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marco Cuccato | 2019-12-02 15:37:30 | Re: LDAPS trusted ca support |
| Previous Message | PG Bug reporting form | 2019-12-02 12:41:21 | BUG #16144: Segmentation fault on dict_int extension |