Re: User Name Maps seem broken in 11.1 on CentOS 7 - Mailing list pgsql-general
| From | Adrian Klaver |
|---|---|
| Subject | Re: User Name Maps seem broken in 11.1 on CentOS 7 |
| Date | |
| Msg-id | 37efc320-af22-aa11-c68d-ecada155500d@aklaver.com Whole thread Raw |
| In response to | User Name Maps seem broken in 11.1 on CentOS 7 (Viktor Berke <bviktor@outlook.com>) |
| Responses |
Re: User Name Maps seem broken in 11.1 on CentOS 7
(Tom Lane <tgl@sss.pgh.pa.us>)
|
| List | pgsql-general |
On 1/29/19 1:11 PM, Viktor Berke wrote:
> Hi,
>
> After some talk with the helpful folks of #postgresql I see no other
> option but to ask here. I'm trying to set up proper authentication for
> our corprorate users. They'll access postgres both from their
> workstations via TCP, and also locally. Locally, they're authenticated
> using SSSD which in turn is using LDAP to talk to our Active Directory
> DCs. That's not very relevant, but I just wanted to explain precisely.
>
> Anyhow, we try to enforce the "user.name@company.com" login wherever we
> can, so this is how I set up LDAP auth:
>
> hostssl all all 10.1.0.1/16 ldap ldapserver=dc2.ad.foobar.com
> ldapport=636 ldapscheme=ldaps ldaptls=0
> ldapbinddn="CN=ldap,OU=Helpers,OU=Foobar,DC=ad,DC=foobar,DC=com"
> ldapbindpasswd=*** ldapsearchattribute=mail
> ldapbasedn="OU=Users,OU=Foobar,DC=ad,DC=foobar,DC=com"
>
> This works perfectly fine. I create the role, e.g.:
>
> CREATE ROLE "jane.doe@foobar.com" CREATEDB CREATEROLE LOGIN;
>
> Then she can log in fine via pgAdmin or whatever, using her email address.
>
> Now I want to set up peer authentication locally, so that they don't
> have to enter their passwords all the time when they're already
> authenticated to the OS. The idea is that I map the local "jane.doe" OS
> user to the "jane.doe@foobar.com" role already present in postgres. This
> way I don't have to CREATE ROLE and manage permissions both for jane.doe
> and jane.doe@foobar.com. So the map would look something like this, I guess:
>
> foo /^(.*)$ \1@foobar\.com (or something like that?)
>
> And here comes the problem: user name maps seem completely
> non-functional. First I suspected it's a problem with the dot in
> usernames, but even if I create a local Unix user ("foobar") and set
>
> local all all peer map=foo
>
> in pg_hba.conf and
>
> foo foobar postgres
>
> In pg_ident.conf, all I see in the log is that
>
> 2019-01-29 21:44:45.095 CET [41929] LOG: no match in usermap "foo" for
> user "foobar" authenticated as "foobar"
> 2019-01-29 21:44:45.095 CET [41929] FATAL: Peer authentication failed
> for user "foobar"
> 2019-01-29 21:44:45.095 CET [41929] DETAIL: Connection matched
> pg_hba.conf line 79: "local all all peer map=foo"
>
> Bummer. I also tried various regexes, even the likes of /^(.*)$, but the
> log ALWAYS says no match. The weird thing is that this is the log
> content even if there's nothing in pg_ident.conf, so it's like postgres
> doesn't even care about what's in there.
Is ident_file set to something else?:
https://www.postgresql.org/docs/11/runtime-config-file-locations.html#GUC-IDENT-FILE
>
> Any ideas?
>
> Regards,
>
> Viktor
--
Adrian Klaver
adrian.klaver@aklaver.com
pgsql-general by date: