Re: DNS SRV support for LDAP authentication - Mailing list pgsql-hackers

From Thomas Munro
Subject Re: DNS SRV support for LDAP authentication
Date
Msg-id CAEepm=3x7GXL+exBPAEs_mhrgF7JVcqY-78YV93xF3HQ5UWsCA@mail.gmail.com
Whole thread Raw
In response to DNS SRV support for LDAP authentication  (Thomas Munro <thomas.munro@enterprisedb.com>)
Responses Re: DNS SRV support for LDAP authentication
List pgsql-hackers
On Tue, Sep 25, 2018 at 2:09 PM Thomas Munro
<thomas.munro@enterprisedb.com> wrote:
> Some people like to use DNS SRV records to advertise LDAP servers on
> their network.  Microsoft Active Directory is usually (always?) set up
> that way.  Here is a patch to allow our LDAP auth module to support
> that kind of discovery.  It copies the convention of the OpenLDAP
> command line tools: if you give it a URL that has no hostname, it'll
> try to extract a domain name from the bind DN, and then ask your DNS
> server for a SRV record for LDAP-over-TCP at that domain.  The
> OpenLDAP version of libldap.so exports the magic to do that, so the
> patch is very small (but the infrastructure set-up to test it is a bit
> of a schlep, see below).  I'll add this to the next Commitfest.
>
> [long tedious explanation of how to set up a test with BIND and OpenLDAP on Unix]

Of course the point of this is not really for the Unix-based set-up I
described, but for Microsoft environments with one or more AD servers
and a PostgreSQL server running on (eg) Linux that wants to find AD.
In such environments, from what I can tell, the following should work:

Standard DNS lookup tools should be able to find SRV records
advertising the host, port and weight (priority) of any AD servers on
the network:
$ nslookup -type=any _ldap._tcp.YOUR.DOMAIN
$ dig srv _ldap._tcp.YOUR.DOMAIN
$ host -t srv _ldp._tcp.YOUR.DOMAIN

OpenLDAP command line tools should be able to find the AD server via
those SRV records, extracting YOUR.DOMAIN from the base DN:
$ ldapsearch -H 'ldap:///dc%3DYOUR%2Cdc%3DDOMAIN' ...

pg_hba.conf with an explicit LDAP server name should be able to talk
to Active Directory without using this patch with something like:
host all all 127.0.0.1/32 ldap
ldapurl="ldap://YOUR-AD-SERVER.YOUR.DOMAIN/dc=YOUR,dc=DOMAIN?cn?sub"

pg_hba.conf using this patch should be able to discover the LDAP
server via SRV if you take out the server name:
host all all 127.0.0.1/32 ldap ldapurl="ldap:///dc=YOUR,dc=DOMAIN?cn?sub"

I'm hoping someone can help test this in a real Active Directory environment.

-- 
Thomas Munro
http://www.enterprisedb.com


pgsql-hackers by date:

Previous
From: Alvaro Herrera
Date:
Subject: Re: speeding up planning with partitions
Next
From: Amit Langote
Date:
Subject: Re: speeding up planning with partitions