Re: PostGres Config to Authenticate against AD over LDAP

Richard Esmonde wrote:
>
> I'm new to PostGres (so go easy on my naivety). I am trying to configure
> the postgres host based configuration file to permit users to authenticate
> against our Active Directory.

OK. Never tried that myself, but let's see.

> Needless to say both Ubuntu server and AD are in the same Domain.
> . I am running PostGRESQL v8.3.7 on a 64-Bit Ubuntu Hardy Heron Dell
> server with Apache 2.
> . I am not running SSL.
> . This work is happening on a LAN. My AD server=master1 and the
> LAN=belfry.lan
>
> . I installed Postgres as follow:
>
> o # sudo apt-get install postgresql-8.3 postgresql-client-8.3
> postgresql-client-common postgresql-common

All good info. Grab yourself a copy of the source from postgresql.org
too when you have time. Always useful to have a copy. Oh and "ack" too
(package is "ack-grep" on Ubuntu I think) - it's an improved version of
grep.

> It runs just fine and I can create databases users and tables with no
> problems.
>
>
>
> Currently, the end of my pg_hba.conf file looks like:

Nothing leaping out at me here. One thing to be aware of is that PG will
try the first authentication method that matches host+db and not try any
further ones.

> I created a testuser and a test database. The user, testuser exists in my
> Active directory with a different password. I can connect as testuser to
> the DB via command line or via pgAdmin111 with the postgres password for
> testuser. When I try to connect using the users LDAP password I always get:
>
> . psql: FATAL: password authentication failed for user testuser

Well, I'd expect LDAP to be mentioned somewhere. Using my source tree,
ack and might powers of C knowledge:

backend/libpq/auth.c

case uaMD5:
case uaCrypt:
case uaPassword:
errstr = gettext_noop("password authentication failed for
user \"%s\"");

Looks to me like we're still using md5/password, and indeed a few lines
down is the error we should be seeing:

#ifdef USE_LDAP
case uaLDAP:
errstr = gettext_noop("LDAP authentication failed for user
\"%s\"");
break;
#endif /* USE_LDAP */
default:
errstr = gettext_noop("authentication failed for user
\"%s\": invalid authentication method");
break;

It also seems that if Ubuntu's installation didn't support ldap we'd see
the last error message.

I think your host must be matching the "password" line in pg_hba.conf

Oh - two more points.

1. I didn't see anything authentication-related in your logs either.
Plenty of connection startup stuff, but no auth.

2. Wireshark is a handy tool for this sort of thing. It's a network
analyser - point it at port 389 and see what it comes up with.

--
Richard Huxton
Archonet Ltd