Postgres Pro
Downloads
Home   >   mailing lists

Re: Multiple LDAP Servers for ldap Authentication - Mailing list pgsql-general

From Richard Yen
Subject Re: Multiple LDAP Servers for ldap Authentication
Date
Msg-id CAKH4vDg_7XXe3LsdptWutQZFozy6TRzU1UVE1ZBx++6-rvo+XQ@mail.gmail.com
Whole thread Raw
In response to RE: Multiple LDAP Servers for ldap Authentication  ("Kumar, Virendra" <Virendra.Kumar@guycarp.com>)
List pgsql-general
Tree view


On Thu Dec, 20, 2018 at 9:17 PM Kumar, Virendra <Virendra.Kumar@guycarp.com> wrote:
I figured it out, this is how it works:
--
host    all     all                            0.0.0.0/0              ldap ldapserver=server1.com ldapserver=server2.com ldapprefix=PROD01\

So documentation need some update.

Just FYI I tried out this method on my setup, and it did not work.  Postgres (I tried on v. 10 and v. 12) will always pick the last "ldapserver=" tag that it parses.  Avaro's format (ldapserver="server1 server2") works for me.  To be clear:

<snippet>
# does not work:
host   all         all      0.0.0.0\/0  ldap ldapserver=ldap-service1 ldapserver=ldap-service2 ldaptls=1 ldapprefix="cn=" ldapsuffix=", dc=example, dc=org\" ldapport=389

# this works:
host   all         all      0.0.0.0/0  ldap ldapserver="ldap-service1 ldap-service2" ldaptls=1 ldapprefix="cn=" ldapsuffix=", dc=example, dc=org" ldapport=389
</snippet>

For anyone who comes across this in the future, I have also compiled as short YouTube video to demonstrate the behavior of the two formats: https://youtu.be/kjlwwfHdpWg

--Richard



Regards,
Virendra

-----Original Message-----
From: Alvaro Herrera [mailto:alvherre@2ndquadrant.com]
Sent: Thursday, December 20, 2018 3:25 PM
To: Kumar, Virendra
Cc: pgsql-general@lists.postgresql.org
Subject: Re: Multiple LDAP Servers for ldap Authentication

On 2018-Dec-20, Kumar, Virendra wrote:

> Comman separated doesn't work as well.

Please separate by a comma and a space, not just a comma.  My reading of
the OpenLDAP source code, and some quick experiments comparing failure
patterns, suggest that that exact combination may work.  (OpenLDAP is
not exactly well commented.)  I think one problem you may or may not hit
is the PostgreSQL authentication timeout expiring sooner than OpenLDAP
is willing to try the second server.

--
Álvaro Herrera                https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

________________________________

This message is intended only for the use of the addressee and may contain
information that is PRIVILEGED AND CONFIDENTIAL.

If you are not the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please erase all copies of the message
and its attachments and notify the sender immediately. Thank you.



pgsql-general by date:

Previous
From: sadaqat
Date:
Subject: issue during installation of postgresql binary zip
Next
From: Francisco Olarte
Date:
Subject: Re: where clauses including timstamptz and intervals