Quick Links

Re: DNS SRV support for LDAP authentication

From:	Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com>
To:	Pg Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: DNS SRV support for LDAP authentication
Date:	2018-11-07 03:39:59
Message-ID:	CAEepm=3x7GXL+exBPAEs_mhrgF7JVcqY-78YV93xF3HQ5UWsCA@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Tue, Sep 25, 2018 at 2:09 PM Thomas Munro
<thomas(dot)munro(at)enterprisedb(dot)com> wrote:
> Some people like to use DNS SRV records to advertise LDAP servers on
> their network. Microsoft Active Directory is usually (always?) set up
> that way. Here is a patch to allow our LDAP auth module to support
> that kind of discovery. It copies the convention of the OpenLDAP
> command line tools: if you give it a URL that has no hostname, it'll
> try to extract a domain name from the bind DN, and then ask your DNS
> server for a SRV record for LDAP-over-TCP at that domain. The
> OpenLDAP version of libldap.so exports the magic to do that, so the
> patch is very small (but the infrastructure set-up to test it is a bit
> of a schlep, see below). I'll add this to the next Commitfest.
>
> [long tedious explanation of how to set up a test with BIND and OpenLDAP on Unix]

Of course the point of this is not really for the Unix-based set-up I
described, but for Microsoft environments with one or more AD servers
and a PostgreSQL server running on (eg) Linux that wants to find AD.
In such environments, from what I can tell, the following should work:

Standard DNS lookup tools should be able to find SRV records
advertising the host, port and weight (priority) of any AD servers on
the network:
$ nslookup -type=any _ldap._tcp.YOUR.DOMAIN
$ dig srv _ldap._tcp.YOUR.DOMAIN
$ host -t srv _ldp._tcp.YOUR.DOMAIN

OpenLDAP command line tools should be able to find the AD server via
those SRV records, extracting YOUR.DOMAIN from the base DN:
$ ldapsearch -H 'ldap:///dc%3DYOUR%2Cdc%3DDOMAIN' ...

pg_hba.conf with an explicit LDAP server name should be able to talk
to Active Directory without using this patch with something like:
host all all 127.0.0.1/32 ldap
ldapurl="ldap://YOUR-AD-SERVER.YOUR.DOMAIN/dc=YOUR,dc=DOMAIN?cn?sub"

pg_hba.conf using this patch should be able to discover the LDAP
server via SRV if you take out the server name:
host all all 127.0.0.1/32 ldap ldapurl="ldap:///dc=YOUR,dc=DOMAIN?cn?sub"

I'm hoping someone can help test this in a real Active Directory environment.

--
Thomas Munro
http://www.enterprisedb.com

In response to

DNS SRV support for LDAP authentication at 2018-09-25 02:09:08 from Thomas Munro

Responses

Re: DNS SRV support for LDAP authentication at 2018-11-16 01:52:55 from Thomas Munro

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Etsuro Fujita	2018-11-07 03:44:33	Re: BUG #15449: file_fdw using program cause exit code error when using LIMIT
Previous Message	Alvaro Herrera	2018-11-07 03:32:07	Re: speeding up planning with partitions