Postgres Pro
Downloads
Home   >   mailing lists

Re: BUG #9818: LDAP Authentication subtree problem - Mailing list pgsql-bugs

From Sáreník Ján
Subject Re: BUG #9818: LDAP Authentication subtree problem
Date
Msg-id 843D3E17DE797541BAB4BF8053430A0576E079@CZ99PMBX01.CZGLI.LOCAL
Whole thread Raw
In response to Re: BUG #9818: LDAP Authentication subtree problem  (Magnus Hagander <magnus@hagander.net>)
Responses Re: BUG #9818: LDAP Authentication subtree problem  (Magnus Hagander <magnus@hagander.net>)
List pgsql-bugs
Tree view 
Hello Magnus!

On Tue, Apr 18, 2014 at 3:51 PM, Magnus Hagander wrote:
> That page is about about the ModifyObject() function, which we're
> definitely not calling. And it's under the section about DFS replication
> helper protocol. So either you posted the wrong URL, or you have
> misdiagnosed it.

Yes, I might have misdiagnosed it, but it was the closest match possible.

> Do you get anythign in the AD controller logs at this time? Or if
> you can get a packet trace, does it show something clear about what's
> actually going wrong?

No, as AD is managed by another part of the company and there are no
issues using Apache2 or ldapsearch against it, so I do not assume
the problem resides on that side.

> I wonder if it might be related to the use of an LDAP url, that somehow
> gets the subtree search wrong. Can you check to see if it works if
> you specify the individual parts without using an url, e.g.
>
> local    all             all              ldap
> ldapserver=aa00aaa001.aaaa.corp.local
> ldapbasedn=DC=aaaa,DC=corp,DC=local ldapsearchattribute=sAMAccountName
> ldapbinddn="CN=svcLDAPDWH,OU=Services,OU=UsersAdm,DC=aaaa,DC=corp,DC=local"
> ldapbindpasswd="XXXXXX"
>
> For ldap auth not using the url syntax, subtree search is always used.

I tried this on today's unpatched PostgreSQL (8d34f6862) and it does
not work. It gives me the same error like when I use ldapurl in pg_hba.conf.
Just note that I had to quote ldapbasedn's parameter - otherwise the
database server wouldn't start.


As for the packets:
1. bindRequest(1) "CN=svcLDAPDWH,OU=Services,OU=UsersAdm,..."
2. bindResponse(1) success
3. searchRequest(2) "DC=aaaa,DC=corp,DC=local" wholeSubtree
4. searchResEntry(2) "CN=T912348,OU=UsersW7,DC=gpcz,DC=corp,DC=local"  | searchResRef(2)  | searchResDone(2) success
[1result] 
----------------------------------------------------

Then the two (patched and unpatched) start to diverge:
Patched:
----------------------------------------------------
5. unbindRequest(6)
6. bindRequest(1) "CN=user,OU=subgroup,..." simple
7. bindResponse(1) success
8. unbindRequest(2)
Unpatched:
----------------------------------------------------
5. bindRequest(4) "<ROOT>" simple
6. bindResponse(4) success
7. searchRequest(3) "DC=DomainDnsZones,DC=aaaa,..." wholeSubTree
8. searchResDone(3) operationsError (000004DC: LdapErr: DSID-0C0906E8, comment: In  order to perform this operation a
successfulbind must be completed on the connection., data 0, v1db1)  [0 results] 
9. unbindRequest(5)


Thanks for feed-back!
Best regards, Jasan

pgsql-bugs by date:

Previous
From: eshkinkot@gmail.com
Date:
Subject: BUG #10112: Timezone abbrevs and it history
Next
From: bmashkoor@joc.com
Date:
Subject: BUG #10116: Unable to load more than 100 recs - trial version