| From: | Michael O'Donnell <odonnellm(at)usgs(dot)gov> |
|---|---|
| To: | pgsql-admin(at)postgresql(dot)org |
| Subject: | PostgreSQL 9.0 authentication against LDAP/AD |
| Date: | 2012-08-08 02:07:25 |
| Message-ID: | OFF8E621C8.2C94218A-ON87257A54.000957AF-87257A54.000BAABD@usgs.gov |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Hello,
I am trying to authenticate PostgreSQL 9.0 login roles against LDAP/Active
directory (AD). PostgreSQL 9.0 is installed on a Windows 2008 R2 64bit. My
pg_hba.conf setting looks like the following:
host <db> <user> samenet ldap ldapserver=<server.domain.net.com>
ldapprefix="DOMAIN\"
I am populating the <db>, <user>, <server.domain.net.com>, and DOMAIN with
real values.
When I use the following psql command I get an error:
C:\Windows\System32>psql -d <db> -U <user> -W
Password for user <user>:
psql: FATAL: password authentication failed for user "<user>"
I have added the <user> to the login role and the user exists in AD.
If I use pyscopg2 (a python module that is commonly used for PostgreSQL
interaction), I can actually connect to the database using the settings
specified in the pg_hba.conf file shown above. If I use a false username,
the script fails. Therefore the script is behaving as I would expect, but
I am confussed why psql is behaving differently.
Questions:
1. Does my pg_hba.conf setting seem correct?
2. If my pg_hba.conf setup is correct, why is psql failing (does not fail
using a second user specified in db that authenticates with password)? I
also tried specifying ldapport, but this was causing a failure in postgres
reading the conf. I am able to use the same command on different databases
and for different users and this works.
3. Is the transfer of the password automatically encrypted? I read in a
blog that using LDAP does not encrypt and I need to use SSL. I tried using
ldaptls=1 but this was causing a failure in postgres reading the conf.
4. There is some documentation I have found online on how to set this up
but most of the examples/blogs were not helping me to work though this.
Thank you for any help you can provide.
mike
- - - - - - - - - - - - - - - - - - - - - - - - - -
Michael O'Donnell
Phone: 970.226.9407
Fax: 970.226.9230
Email: odonnellm(at)usgs(dot)gov
United States Geological Survey/BRD
Fort Collins Science Center
2150 Centre Ave., Bldg C
Fort Collins, CO 80526
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2012-08-08 02:21:51 | Re: PostgreSQL 9.0 authentication against LDAP/AD |
| Previous Message | Stephen Frost | 2012-08-08 01:39:31 | Re: Data corruption after SAN snapshot |