Re: [EXT] Re: pgadmin4 container deployment with ldap-authentication - Mailing list pgadmin-support
| From | |
|---|---|
| Subject | Re: [EXT] Re: pgadmin4 container deployment with ldap-authentication |
| Date | |
| Msg-id | 54273C27-DDE5-4BDC-9B43-34B76A063712@metronom.com Whole thread Raw |
| In response to | Re: pgadmin4 container deployment with ldap-authentication (Khushboo Vashi <khushboo.vashi@enterprisedb.com>) |
| Responses |
Re: [EXT] Re: pgadmin4 container deployment with ldap-authentication
(Khushboo Vashi <khushboo.vashi@enterprisedb.com>)
|
| List | pgadmin-support |
Hi,
I am just back from holiday and wanted to test the same (as I authored this LDAP change request I think its overdue to
testit __ ))
To ensure the env is fine I executed ldapsearch on the docker host to have some check first:
ldapsearch -LLL -x -h ldap.mgi.de:389 -D "cn=SVCLDAP,cn=Users,dc=asf,dc=madm,dc=net" -w xxxxxx -b"dc=madm,dc=net"
userPrincipalName=Heiko.Onnebrink@metronom.com
I got some fine output back within some ms:
dn: CN=Onnebrink Heiko,OU=HQ01-DUS,OU=Users,OU=DE,OU=MSYS,DC=r2,DC=madm,DC=netobjectClass: topobjectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Onnebrink Heiko
sn: Onnebrink
c: DE
l: Duesseldorf
title: Mr
description: XPC User (migriert) - managed by identityDirectory
postalCode: 40235
physicalDeliveryOfficeName: 09.02.207
etc (truncated)
Next I transferred the args from test and passed them to pgBadger docker container
docker run -p 443:443
-e PGADMIN_DEFAULT_EMAIL=admin@metronom.com
-e PGADMIN_DEFAULT_PASSWORD=admin
-e 'PGADMIN_CONFIG_AUTHENTICATION_SOURCES=["ldap"]'
-e 'PGADMIN_CONFIG_LDAP_SERVER_URI="ldap://ldap.mgi.de:389"'
-e 'PGADMIN_CONFIG_LDAP_USERNAME_ATTRIBUTE="userPrincipalName"'
-e 'PGADMIN_CONFIG_LDAP_BIND_USER="cn=SVCLDAP,cn=Users,dc=asf,dc=madm,dc=net"'
-e 'PGADMIN_CONFIG_LDAP_BIND_PASSWORD="xxxxxx"'
-e 'PGADMIN_CONFIG_LDAP_SEARCH_BASE_DN="dc=madm,dc=net"'
-e PGADMIN_CONFIG_LDAP_AUTO_CREATE_USER=True
-e PGADMIN_ENABLE_TLS=TRUE
-v '/dockerdata/pgadmin/servers.json:/servers.json'
-v '/dockerdata/pgadmin/server.cert:/certs/server.cert'
-v '/dockerdata/pgadmin/server.key:/certs/server.key'
--name pgadminssl registry.metroscales.io/rdb-dev/pgadmin:latest
NOTE: Configuring authentication for SERVER mode.
sudo: setrlimit(RLIMIT_CORE): Operation not permitted
[2020-08-11 10:45:49 +0000] [1] [INFO] Starting gunicorn 19.9.0
[2020-08-11 10:45:49 +0000] [1] [INFO] Listening at: http://[::]:443 (1)
[2020-08-11 10:45:49 +0000] [1] [INFO] Using worker: threads
/usr/local/lib/python3.8/os.py:1023: RuntimeWarning: line buffering (buffering=1) isn't supported in binary mode, the
defaultbuffer size will be used
return io.open(fd, *args, **kwargs)
[2020-08-11 10:45:49 +0000] [97] [INFO] Booting worker with pid: 97
I started up pgAdmin web and entered heiko.onnebrink@metronom.com with pwd as credentials
After logon a new window pops up with this Json result
{
success:0,
result:null,
info:"",
data:null,
errormsg:"error receiving data: timed out"
}
Here the error stack from pgAdmin container:
::ffff:10.97.177.148 - - [11/Aug/2020:10:49:02 +0000] "GET / HTTP/1.1" 302 237 "-" "Mozilla/5.0 (Macintosh; Intel Mac
OSX 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15"
::ffff:10.97.177.148 - - [11/Aug/2020:10:49:02 +0000] "GET /login?next=%2F HTTP/1.1" 200 1698 "-" "Mozilla/5.0
(Macintosh;Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15"
2020-08-11 10:49:27,835: ERROR flask.app: error receiving data: timed out
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 82, in receiving
data = self.connection.socket.recv(self.socket_size)
socket.timeout: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1813, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1799, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/pgadmin4/pgadmin/authenticate/__init__.py", line 55, in login
status, msg = auth_obj.authenticate()
File "/pgadmin4/pgadmin/authenticate/__init__.py", line 118, in authenticate
status, msg = source.authenticate(self.form)
File "/pgadmin4/pgadmin/authenticate/ldap.py", line 73, in authenticate
status, ldap_user = self.search_ldap_user()
File "/pgadmin4/pgadmin/authenticate/ldap.py", line 228, in search_ldap_user
self.conn.search(search_base=search_base_dn,
File "/usr/local/lib/python3.8/site-packages/ldap3/core/connection.py", line 819, in search
response = self.post_send_search(self.send('searchRequest', request, controls))
File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 139, in post_send_search
responses, result = self.get_response(message_id)
File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/base.py", line 353, in get_response
responses = self._get_response(message_id, timeout)
File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 157, in _get_response
responses = self.receiving()
File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 92, in receiving
raise communication_exception_factory(LDAPSocketReceiveError, type(e)(str(e)))(self.connection.last_error)
ldap3.core.exceptions.LDAPSocketReceiveError: error receiving data: timed out
::ffff:10.97.177.148 - - [11/Aug/2020:10:49:27 +0000] "POST /authenticate/login HTTP/1.1" 500 94
"https://10.96.48.68/login?next=%2F""Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like
Gecko)Version/13.1.1 Safari/605.1.15"
Thanks for any advice
cheers
Heiko
From: Khushboo Vashi <khushboo.vashi@enterprisedb.com>
Date: Tuesday, 11. August 2020 at 06:09
To: Hendrik Hansmeier <hendrik.hansmeier@hh-it.co>
Cc: "pgadmin-support lists.postgresql.org" <pgadmin-support@lists.postgresql.org>
Subject: [EXT] Re: pgadmin4 container deployment with ldap-authentication
Hi,
On Tue, Aug 11, 2020 at 4:35 AM Hendrik Hansmeier <mailto:hendrik.hansmeier@hh-it.co> wrote:
Hi,
i am trying to get pgadmin4 running in server-mode as a docker-container. So i pulled the image and after i tried out
theimage a little bit, i tried to use ldap-authentication.
Unfortunately, i didn't get it running as expected. I am not able to authenticate against my samba 4-domain. This is
howi tried to launch the container:
docker run -p 8280:80
-e "PGADMIN_DEFAULT_EMAIL=<emailAddress>"
-e "PGADMIN_DEFAULT_PASSWORD=<password>"
-e "AUTHENTICATION_SOURCES=['ldap']"
-e "LDAP_AUTO_CREATE_USER=True"
-e "LDAP_SERVER_URI='ldaps://<domaincontroller>:636'"
-e "LDAP_BASE_DN='cn=Users,dc=mydomain,dc=local'"
-e "LDAP_BIND_USER='cn=User1,cn=Users,dc=mydomain,dc=local'"
-e "LDAP_BIND_PASSWORD=<BindDNPassword>"
-e "LDAP_CA_CERT_FILE='/etc/ssl/certs/myca.pem'"
-e "LDAP_CERT_FILE='/etc/ssl/certs/my.cert.pem'"
-e "LDAP_KEY_FILE='/etc/ssl/private/my.key.pem'"
-d dpage/pgadmin4
I am using the container behind a reverse-proxy on nginx (debian buster), for the first try via http. The
authenticationwith the given user PGADMIN_DEFAULT_EMAIL works as expected but ldap-authentication results in an
error-message"Specified user does not exist".
Am i using the environment-parameters for ldap-authentication correctly? May a reverse-proxy over https help to get
ldapsworking?
The variable prefix "PGADMIN_CONFIG_" should be used to override any of the configuration options in
pgAdmin’s config.py file.So add this prefix to all the config params you have used.
(Ex, AUTHENTICATION_SOURCES, LDAP_SERVER_URIetc...)
Ex: AUTHENTICATION_SOURCES should be PGADMIN_CONFIG_AUTHENTICATION_SOURCES
Please refer https://www.pgadmin.org/docs/pgadmin4/4.24/container_deployment.html#environment-variables for more
information.
Also, set LDAP_SEARCH_BASE_DN param which is required to configure LDAP Authentication in Dedicated User mode (which
youhave configured).
Please refer https://www.pgadmin.org/docs/pgadmin4/4.24/enabling_ldap_authentication.html
Thanks,
Khushboo
--
Best regards,
Hendrik Hansmeier
Hendrik Hansmeier IT-Consulting ::: Bunsenstraße 5 ::: 51647 Gummersbach
FON +49 (0) 2261 814 174 ::: MOB +49 (0) 151 235 866 02 ::: E-MAIL mailto:hendrik.hansmeier@hh-it.co
USt-IdNr.: DE311717013 ::: Finanzamt Gummersbach
Geschäftsanschrift/Business address: METRO-NOM GmbH, Metro-Straße 12, 40235 Duesseldorf, Germany
Aufsichtsrat/Supervisory Board: Olaf Koch (Vorsitzender/Chairman)
Geschäftsführung/Management Board: Timo Salzsieder (Vorsitzender/CEO), Felix Lindemann (COO), Frank Hammerle (CFO)
Sitz Düsseldorf, Amtsgericht Düsseldorf, HRB 18232/Registered Office Düsseldorf, Commercial Register of the Düsseldorf
LocalCourt, HRB 18232
Betreffend Mails von *@metronom.com <http://metrosystems.net/>
Die in dieser E-Mail enthaltenen Nachrichten und Anhänge sind ausschließlich für den bezeichneten Adressaten bestimmt.
Siekönnen rechtlich geschützte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfänger oder
zumEmpfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfältigung oder Weitergabe der Nachrichten
undAnhänge untersagt. Falls Sie diese E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den Absender
undvernichten Sie die E-Mail.
Regarding mails from *@metronom.com <http://metrosystems.net/>
This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential
informationwhich may also be protected by professional secrecy. Unless you are the named addressee (or authorised to
receivefor the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone
else.If this e-mail was
pgadmin-support by date: