Quick Links

Re: A vexing problem with LDAP

From:	Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
To:	"Subramanian,Ramachandran" <ramachandran(dot)subramanian(at)alte-leipziger(dot)de>, "pgsql-novice(at)lists(dot)postgresql(dot)org" <pgsql-novice(at)lists(dot)postgresql(dot)org>
Subject:	Re: A vexing problem with LDAP
Date:	2026-03-13 07:04:19
Message-ID:	ff5e8a3ba8d97971b2de3194e2bff2239ea715f2.camel@cybertec.at
Views:	Whole Thread \| Raw Message \| Download mbox \| Resend email
Thread:
Lists:	pgsql-novice

On Fri, 2026-03-13 at 06:57 +0000, Subramanian,Ramachandran wrote:
> We have an USERID ( VALID-USER) who exists in the LDAP Group G_APP_Postgres_Users.
>
> PS H:\> Get-ADUser -LDAPFilter "(&(objectClass=user)(sAMAccountName=VALID-USER)(memberOf=CN=G_APP_Postgres_Users,OU=Anwendungen,OU=Gruppen,OU=Identity,DC=my-Konzern,DC=de))"
>
> DistinguishedName : CN=VALID-USER,OU=Konten,OU=EWT,OU=PostgreSQL,OU=Ressourcen,DC=my-Konzern,DC=de
> Enabled           : True
> GivenName         : REWT-PostgreSQL
> Name              : VALID-USER
> ObjectClass       : user
> ObjectGUID        : 5a45f8e9-f13b-4ff2-9815-ec85bd0aeb7c
> SamAccountName    : VALID-USER
> SID               : S-1-5-21-4249930229-1474557206-4077294858-125360
> Surname           : Rochade-Konfig
> UserPrincipalName :VALID-USER(at)my-konzern(dot)de
>
> However when he tries to connect to postgres we see this error message.
>
> Postgres-Log
> LOG: LDAP user "VALID-USER" does not exist
> FATAL: LDAP authentication failed for user "VALID-USER"
>
> PG_HBA.CONF entry is shown below.
>
> pg_hba.conf
> host   all             all              0.0.0.0/0             ldap ldapserver=ldap.my-konzern.de ldapport=389 ldapbinddn="CN=Postgres-LDAP,OU=Konten,OU=PROD,OU=PostgreSQL,OU=Ressourcen,DC=my-konzern,DC=de" ldapbindpasswd="dF3(at)3#s$P1" ldapbasedn="OU=Postgres,OU=Ressourcen,DC=my-konzern,DC=de" ldapscheme=ldap ldapsearchfilter="(&(objectClass=user)( sAMAccountName=%u)(memberOf=CN=G_APP_Postgres_Users,OU=Anwendungen,OU=Gruppen,OU=Identity,DC=my-konzern,DC=de))"
>
> What could be the source of this error?

I'd say that because PostgreSQL <> Postgres, you won't find user
"CN=VALID-USER,OU=Konten,OU=EWT,OU=PostgreSQL,OU=Ressourcen,DC=my-Konzern,DC=de"
under the base distinguished name "OU=Postgres,OU=Ressourcen,DC=my-konzern,DC=de".

Try with ldapbasedn="OU=PostgreSQL,OU=Ressourcen,DC=my-Konzern,DC=de".

> How to debug this problem step by step to see where exactly the chain is disconnected?

Copy and paste is your friend, it avoids typos.

Yours,
Laurenz Albe

In response to

A vexing problem with LDAP at 2026-03-13 06:57:29 from Subramanian,Ramachandran

Browse pgsql-novice by date

	From	Date	Subject
Next Message	vrms	2026-03-17 10:59:50	Re: AW: Is it possible to turn on pg_stat_extensions at a database level
Previous Message	Laurenz Albe	2026-03-13 06:58:39	Re: AW: AW: Is it possible to turn on pg_stat_extensions at a database level