Re: BUG #9818: LDAP Authentication subtree problem

On Tue, Apr 1, 2014 at 4:19 PM, <jan(dot)sarenik(at)generali(dot)cz> wrote:

> The following bug has been logged on the website:
>
> Bug reference: 9818
> Logged by: Ján Sáreník
> Email address: jan(dot)sarenik(at)generali(dot)cz
> PostgreSQL version: Unsupported/Unknown
> Operating system: CentOS 6.5
> Description:
>
> Hello!
>
> Following line is my only record in pg_hba.conf:
> local all all ldap
>
> ldapurl="ldap://aa00aaa001.aaaa.corp.local/DC=aaaa,DC=corp,DC=local?sAMAccountName?sub"
> ldapbinddn="CN=svcLDAPDWH,OU=Services,OU=UsersAdm,DC=aaaa,DC=corp,DC=local"
> ldapbindpasswd="XXXXXX"
>
> LDAP server is Microsoft Active Directory.
> I am testing on 554bb3beba27bf4a49edecc40f6c0f249974bc7c (today's git tree)
> Version of OpenLDAP does not influence it (I have linked it with current
> release, no change).
> All I want in the end is to log into postgres as both of following users
>
> CN=A000001,OU=UsersW7,DC=gpcz,DC=corp,DC=local
> CN=A000002,OU=UsersStd,DC=gpcz,DC=corp,DC=local
>
> Instead all I am getting is:
> LOG: could not search LDAP for filter "(CN=A000001)" on server
> "aa00aaa001.aaaa.corp.local": Operations error
> LOG: could not search LDAP for filter "(CN=A000002)" on server
> "aa00aaa001.aaaa.corp.local": Operations error
>
> If I specify ldapurl to contain OU=UsersW7, I can log in as A000001
> but not A000002 (and vice versa).
>
> The only work around I was able to do so far is following, based
> on the idea that LDAP_OPERATIONS_ERROR produced by MS AD server
> is misleading. See end of
> http://msdn.microsoft.com/en-us/library/dd303696.aspx

That page is about about the ModifyObject() function, which we're
definitely not calling. And it's under the section about DFS replication
helper protocol. So either you posted the wrong URL, or you have
misdiagnosed it.

Do you get anythign in the AD controller logs at this time? Or if you can
get a packet trace, does it show something clear about what's actually
going wrong?

I wonder if it might be related to the use of an LDAP url, that somehow
gets the subtree search wrong. Can you check to see if it works if you
specify the individual parts without using an url, e.g.

local all all ldap
ldapserver=aa00aaa001.aaaa.corp.local ldapbasedn=DC=aaaa,DC=corp,DC=local
ldapsearchattribute=sAMAccountName
ldapbinddn="CN=svcLDAPDWH,OU=Services,OU=UsersAdm,DC=aaaa,DC=corp,DC=local"
ldapbindpasswd="XXXXXX"

For ldap auth not using the url syntax, subtree search is always used.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/