| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Pierre Ochsenbein <pierreochsenbein(at)gmail(dot)com> |
| Cc: | pgsql-admin <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: LDAP auth |
| Date: | 2019-06-19 15:14:50 |
| Message-ID: | 20190619151450.GS2480@tamriel.snowman.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Greetings,
* Pierre Ochsenbein (pierreochsenbein(at)gmail(dot)com) wrote:
> I'm running on PostgreSQL 10.6 and would like to connect with LDAP users
> I have sync all users from my group in my database and I can find users :-)
>
> hostssl all all 10.1.1.0/24 ldap
> ldapurl="ldap://ldap.local/OU=ASA,OU=Forest%20Admin%20Accounts%20%26%20Roles,DC=ASATL,DC=NET?sAMAccountName?sub"
> ldaptls=1 ldapbinddn="CN=POSTGRES,OU=Service Accounts,OU=Global,OU=Member
> Servers,DC=PMINTL,DC=NET" ldapbindpasswd='password001'
>
> What is the best way to put the LDAP query in pg_hba? I think the error
> comes from here
Are you in an Active Directory environment? If so, you'd be much better
off using Kerberos/GSSAPI instead of LDAP. There's specific information
about doing that available here:
https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
Note that when using LDAP in this way, the user's password ends up being
sent from the client to the server, so if the PG server is compromised
then user's passwords can end up being exposed, allowing a potential
attacker to then impersonate the user to gain access to other services
in the environment (as that's the user's single-sign-on password...).
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavan Kumar | 2019-06-19 21:14:33 | zero data loss recovery is possbile with pgbackrest tool? |
| Previous Message | Pierre Ochsenbein | 2019-06-19 11:36:48 | LDAP auth |