From: | Richard Huxton <dev(at)archonet(dot)com> |
---|---|
To: | Richard Esmonde <richard(dot)esmonde(at)archimedesmodel(dot)com> |
Cc: | "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: PostGres Config to Authenticate against AD over LDAP |
Date: | 2009-08-06 08:10:22 |
Message-ID: | 4A7A8FEE.8010609@archonet.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Richard Esmonde wrote:
>
> I'm new to PostGres (so go easy on my naivety). I am trying to configure
> the postgres host based configuration file to permit users to authenticate
> against our Active Directory.
OK. Never tried that myself, but let's see.
> Needless to say both Ubuntu server and AD are in the same Domain.
> . I am running PostGRESQL v8.3.7 on a 64-Bit Ubuntu Hardy Heron Dell
> server with Apache 2.
> . I am not running SSL.
> . This work is happening on a LAN. My AD server=master1 and the
> LAN=belfry.lan
>
> . I installed Postgres as follow:
>
> o # sudo apt-get install postgresql-8.3 postgresql-client-8.3
> postgresql-client-common postgresql-common
All good info. Grab yourself a copy of the source from postgresql.org
too when you have time. Always useful to have a copy. Oh and "ack" too
(package is "ack-grep" on Ubuntu I think) - it's an improved version of
grep.
> It runs just fine and I can create databases users and tables with no
> problems.
>
>
>
> Currently, the end of my pg_hba.conf file looks like:
Nothing leaping out at me here. One thing to be aware of is that PG will
try the first authentication method that matches host+db and not try any
further ones.
> I created a testuser and a test database. The user, testuser exists in my
> Active directory with a different password. I can connect as testuser to
> the DB via command line or via pgAdmin111 with the postgres password for
> testuser. When I try to connect using the users LDAP password I always get:
>
> . psql: FATAL: password authentication failed for user testuser
Well, I'd expect LDAP to be mentioned somewhere. Using my source tree,
ack and might powers of C knowledge:
backend/libpq/auth.c
case uaMD5:
case uaCrypt:
case uaPassword:
errstr = gettext_noop("password authentication failed for
user \"%s\"");
Looks to me like we're still using md5/password, and indeed a few lines
down is the error we should be seeing:
#ifdef USE_LDAP
case uaLDAP:
errstr = gettext_noop("LDAP authentication failed for user
\"%s\"");
break;
#endif /* USE_LDAP */
default:
errstr = gettext_noop("authentication failed for user
\"%s\": invalid authentication method");
break;
It also seems that if Ubuntu's installation didn't support ldap we'd see
the last error message.
I think your host must be matching the "password" line in pg_hba.conf
Oh - two more points.
1. I didn't see anything authentication-related in your logs either.
Plenty of connection startup stuff, but no auth.
2. Wireshark is a handy tool for this sort of thing. It's a network
analyser - point it at port 389 and see what it comes up with.
--
Richard Huxton
Archonet Ltd
From | Date | Subject | |
---|---|---|---|
Next Message | Richard Huxton | 2009-08-06 08:18:07 | Re: LISTEN ON table WHERE attr1 LIKE '%abc%'; |
Previous Message | Magnus Hagander | 2009-08-06 07:23:34 | Re: LDAP using Active Directory |