Fwd: Unable to make postgres + pam_ldap to work agains LDAP server using ldaps schema

Hi,

I having trouble to configure Postgres to use PAM authentication + LDAP.

I managed to configure successfully pam_ldap.so module to
* Authorize (account) *SSH* users from specific groups
* Authenticate (auth) and authorize (account) users via *su*

But, when I tried to use it to authenticate PostgreSQL against my LDAP
server, I get a message saying nothing else than:

$ psql -h localhost -U dki -d payment
> Password for user dki:
> psql: FATAL: PAM authentication failed for user "dki"
> FATAL: PAM authentication failed for user "dki"

Logs from /var/log/* and /var/log/postgres/* are the following

2016-03-22T11:02:34.155848+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49030) : pam_ldap: ldap_simple_bind Can't contact LDAP server
> 2016-03-22T11:02:34.156137+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49030) : pam_ldap: reconnecting to LDAP server...
> 2016-03-22T11:02:34.198306+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49030) : pam_ldap: ldap_simple_bind Can't contact LDAP server
> [2016-03-22 11:02:34.198 UTC] 127.0.0.1 56f1264a.3357 payment LOG: could
> not receive data from client: Connection reset by peer
> [2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment LOG:
> pam_authenticate failed: Authentication failure
> [2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment FATAL: PAM
> authentication failed for user "dki"
> [2016-03-22 11:02:34.199 UTC] 127.0.0.1 56f1264a.3357 payment DETAIL:
> Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam "
> 2016-03-22T11:02:37.160995+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
> 2016-03-22T11:02:37.161091+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49033) : pam_ldap: reconnecting to LDAP server...
> 2016-03-22T11:02:37.194711+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
> 2016-03-22T11:02:37.194952+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
> 2016-03-22T11:02:37.195122+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49033) : pam_ldap: reconnecting to LDAP server...
> 2016-03-22T11:02:37.228302+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49033) : pam_ldap: ldap_simple_bind Can't contact LDAP server
> [2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment LOG:
> pam_authenticate failed: Authentication failure
> [2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment FATAL: PAM
> authentication failed for user "dki"
> [2016-03-22 11:02:37.228 UTC] 127.0.0.1 56f1264d.3358 payment DETAIL:
> Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam "
> 2016-03-22T11:02:37.266582+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server
> 2016-03-22T11:02:37.266682+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49037) : pam_ldap: reconnecting to LDAP server...
> 2016-03-22T11:02:37.299936+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server
> 2016-03-22T11:02:37.300098+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server
> 2016-03-22T11:02:37.300189+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49037) : pam_ldap: reconnecting to LDAP server...
> [2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment LOG:
> pam_authenticate failed: Authentication failure
> [2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment FATAL: PAM
> authentication failed for user "dki"
> [2016-03-22 11:02:37.334 UTC] 127.0.0.1 56f1264d.3359 payment DETAIL:
> Connection matched pg_hba.conf line 16: "host all all 127.0.0.1/32 pam "
> 2016-03-22T11:02:37.334239+00:00 base-i-vagranto.vagrant.test.ts.sv
> 0.1(49037) : pam_ldap: ldap_simple_bind Can't contact LDAP server

Without the reason that pam_ldap can't contact the LDAP server, I can't fix
it. =(

My configuration files are as follows:

*/etc/nsswitch.conf:*
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files myhostname dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

*/etc/nslcd.conf:*
uid nslcd
gid nslcd
uri ldaps://myserver.com:636
base dc=mycompany,dc=com
ssl on
tls_reqcert demand
tls_cacertfile /etc/mycompany/tls/mycompany_ca.cert
tls_cert /etc/mycompany/tls/client.cert
tls_key /etc/mycompany/tls/client.key
filter shadow (objectClass=posixAccount)
bind_timelimit 2
timelimit 2
reconnect_sleeptime 1
reconnect_retrytime 1

*/etc/ldap.conf:*
base dc=mycompany,dc=com
uri ldaps://myserver.com:636
ldap_version 3
port 636
timelimit 2 # in seconds
bind_timelimit 2 # in seconds
nss_base_passwd ou=People,dc=mycompany,dc=com
nss_base_shadow ou=People,dc= mycompany,dc=com
nss_base_group ou=Group,dc=mycompany,dc=com
ssl on
tls_checkpeer yes
tls_cacert /etc/mycompany/tls/mycompany_ca.cert
tls_cert /etc/mycompany/tls/client.cert
tls_key /etc/mycompany/tls/client.key
nss_reconnect_tries 1
nss_reconnect_sleeptime 1 # in seconds
nss_reconnect_maxsleeptime 1 # in seconds
nss_reconnect_maxconntries 1
nss_initgroups_ignoreusers
backup,bin,bind,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,proxy,root,sshd,sync,sys,syslog,uucp,www-data,zabbix

*/etc/pam.d/postgresql:*
auth sufficient pam_ldap.so try_first_pass ignore_authinfo_unavail
auth requisite pam_deny.so

*$ ls -lh /etc/ldap/ldap.conf*
lrwxrwxrwx 1 root root 14 Mar 22 10:31 /etc/ldap/ldap.conf -> /etc/ldap.conf

Can anyone help me out or point out how to increase debug information?

According to: http://linux.die.net/man/5/pam_ldap

*debug*This option is recognized by *pam_ldap* but is presently *ignored*.

Thanks in advance,

--
Diogo Kiss
E-mail : diogokiss(at)gmail(dot)com
Tel.: +45 2834 1111
GTalk: diogokiss(at)gmail(dot)com
MSN: diogokiss(at)gmail(dot)com
Y!: diogokiss