Thread: [Auth] "ident" method and LDAP user accounts
I manage a Debian/Linux machine which runs PostgreSQL 7.4.7. All the user accounts, including mine, are in a LDAP database. Thanks to NSS (Name Service Switch) all applications have access to the LDAP accounts (getpwuid(3) and getpwnam(3) use LDAP). But not PostgreSQL. When I connect locally (Linux as SO_PEERCRED so the ident daemon is not used) with the "ident" method, I get rejected. If I create an ident map to map the numeric UID to my name, it works: # MAPNAME IDENT-USERNAME PG-USERNAME ldapuser 1000 bortzmeyer It is of course very inconvenient to duplicate my LDAP database into pg_ident.conf. Is there a better way?
Stephane Bortzmeyer <bortzmeyer@nic.fr> writes:
> It is of course very inconvenient to duplicate my LDAP database into
> pg_ident.conf. Is there a better way?
Perhaps you can find a PAM plugin that talks to LDAP, and configure
Postgres to use that.
regards, tom lane
On Wed, Mar 02, 2005 at 02:16:29PM -0500, Tom Lane <tgl@sss.pgh.pa.us> wrote a message of 8 lines which said: > > It is of course very inconvenient to duplicate my LDAP database into > > pg_ident.conf. Is there a better way? > > Perhaps you can find a PAM plugin that talks to LDAP, and configure > Postgres to use that. It already exists (I tried it) but it does not suit my needs since it asks for the password (and I'm already logged in, I don't want to type a password again). The real issue is "Why PostgreSQL does not use getpwuid when getsockopt with SO_PEERCREED returns a numeric UID?" This would give to PostgreSQL the real and correct user name :-(
Stephane Bortzmeyer <bortzmeyer@nic.fr> writes:
> The real issue is "Why PostgreSQL does not use getpwuid when
> getsockopt with SO_PEERCREED returns a numeric UID?"
Oh? I read in hba.c
if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &peercred, &so_len) != 0 ||
so_len != sizeof(peercred))
{
/* We didn't get a valid credentials struct. */
ereport(LOG,
(errcode_for_socket_access(),
errmsg("could not get peer credentials: %m")));
return false;
}
pass = getpwuid(peercred.uid);
so it sure looks like we *are* using getpwuid.
regards, tom lane
Stephane Bortzmeyer wrote: > All the user accounts, including mine, are in a LDAP database. Thanks > to NSS (Name Service Switch) all applications have access to the LDAP > accounts (getpwuid(3) and getpwnam(3) use LDAP). But not PostgreSQL. I did similar setups and both gentoo and debian/sarge, and this was never a problem. Might it be that the postgres user is not allowed to read /etc/ldap.conf - or however your nss_ldap config file is called? I'd try su-ing to the postgres user, and check if everything (ls -l /home, ... - you get the idea) works as expected. > When I connect locally (Linux as SO_PEERCRED so the ident daemon is > not used) with the "ident" method, I get rejected. > > If I create an ident map to map the numeric UID to my name, it works: > > # MAPNAME IDENT-USERNAME PG-USERNAME > ldapuser 1000 bortzmeyer If all else fails, you could create this via a shellscript from your ldap database - but of course thats ugly... greetings, Florian Pflug
Attachment
On Thu, Mar 03, 2005 at 04:03:25AM -0500, Tom Lane <tgl@sss.pgh.pa.us> wrote a message of 21 lines which said: > pass = getpwuid(peercred.uid); > > so it sure looks like we *are* using getpwuid. You're right but I do not understand why it fails only with PostgreSQL.
On Thu, Mar 03, 2005 at 10:04:32AM +0100, Florian G. Pflug <fgp@phlo.org> wrote a message of 114 lines which said: > Might it be that the postgres user is not allowed to read > /etc/ldap.conf - or however your nss_ldap config file is called? myriam:~ % ls -ld /etc/*ldap* drwxr-xr-x 2 root root 4096 Oct 18 17:17 /etc/ldap -rw------- 1 root root 13 Oct 18 17:19 /etc/ldap.secret -rw-r--r-- 1 root root 8442 Oct 18 17:27 /etc/libnss-ldap.conf -rw-r--r-- 1 root root 7070 Oct 18 17:19 /etc/pam_ldap.conf > I'd try su-ing to the postgres user, and check if everything (ls -l > /home, ... - you get the idea) works as expected. It does: myriam:~ % id uid=104(postgres) gid=108(postgres) groups=108(postgres) myriam:~ % ls -l /home/bortzmeyer total 68 drwxr-sr-x 3 bortzmeyer staff 4096 Nov 19 11:47 AFGNIC While "bortzmeyer" is not on /etc/passwd, only in LDAP. So, we still have a mystery :-(
On Thu, 3 Mar 2005, Stephane Bortzmeyer wrote:
> On Thu, Mar 03, 2005 at 10:04:32AM +0100,
> Florian G. Pflug <fgp@phlo.org> wrote
> a message of 114 lines which said:
>
>> Might it be that the postgres user is not allowed to read
>> /etc/ldap.conf - or however your nss_ldap config file is called?
>
> myriam:~ % ls -ld /etc/*ldap*
> drwxr-xr-x 2 root root 4096 Oct 18 17:17 /etc/ldap
> -rw------- 1 root root 13 Oct 18 17:19 /etc/ldap.secret
> -rw-r--r-- 1 root root 8442 Oct 18 17:27 /etc/libnss-ldap.conf
> -rw-r--r-- 1 root root 7070 Oct 18 17:19 /etc/pam_ldap.conf
>
>> I'd try su-ing to the postgres user, and check if everything (ls -l
>> /home, ... - you get the idea) works as expected.
>
> It does:
> myriam:~ % id
> uid=104(postgres) gid=108(postgres) groups=108(postgres)
>
> myriam:~ % ls -l /home/bortzmeyer
> total 68
> drwxr-sr-x 3 bortzmeyer staff 4096 Nov 19 11:47 AFGNIC
>
> While "bortzmeyer" is not on /etc/passwd, only in LDAP.
>
> So, we still have a mystery :-(
Does Debian include and activate SELinux?
.TM.
--
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ Colombo@ESI.it
On Thu, March 3, 2005 12:00, Marco Colombo said:
> On Thu, 3 Mar 2005, Stephane Bortzmeyer wrote:
>> On Thu, Mar 03, 2005 at 10:04:32AM +0100,
>> Florian G. Pflug <fgp@phlo.org> wrote
>> a message of 114 lines which said:
>>
>>> Might it be that the postgres user is not allowed to read
>>> /etc/ldap.conf - or however your nss_ldap config file is called?
>>
>> myriam:~ % ls -ld /etc/*ldap*
>> drwxr-xr-x 2 root root 4096 Oct 18 17:17 /etc/ldap
>> -rw------- 1 root root 13 Oct 18 17:19 /etc/ldap.secret
>> -rw-r--r-- 1 root root 8442 Oct 18 17:27 /etc/libnss-ldap.conf
>> -rw-r--r-- 1 root root 7070 Oct 18 17:19 /etc/pam_ldap.conf
>>
>>> I'd try su-ing to the postgres user, and check if everything (ls -l
>>> /home, ... - you get the idea) works as expected.
>>
>> It does:
>> myriam:~ % id
>> uid=104(postgres) gid=108(postgres) groups=108(postgres)
>>
>> myriam:~ % ls -l /home/bortzmeyer
>> total 68
>> drwxr-sr-x 3 bortzmeyer staff 4096 Nov 19 11:47 AFGNIC
>>
>> While "bortzmeyer" is not on /etc/passwd, only in LDAP.
>>
>> So, we still have a mystery :-(
Seems so.. you could try to start the postmaster via strace -f, and
capture the log
("strace -f <postmaster> -- <postmaster-opts>" 2>&1 > /tmp/postmaster.strace)
Then try to connect, and see what happens - you should see the postmaster
open your pam_ldap.conf, and then try to connect to your ldap server.
Maybe you find some hint in the strace log on whats going on...
Maybe it's also worth trying to start the postmaster by hand - the
init-script might set some different env-variables or paths than what you
have set in an interactive shell...
> Does Debian include and activate SELinux?
There are selinux-versions of debian, but in vanilla debian/sarge (and
debian/woody, and debian/sid), there is no selinux support - at least, I
never stumbled upon this, and I use quite a few debian machines).
greetings, Florian Pflug
On Thu, Mar 03, 2005 at 12:00:51PM +0100, Marco Colombo <pgsql@esiway.net> wrote a message of 39 lines which said: > Does Debian include and activate SELinux? Not at all.
Stephane Bortzmeyer <bortzmeyer@nic.fr> writes:
> Tom Lane <tgl@sss.pgh.pa.us> wrote
>> so it sure looks like we *are* using getpwuid.
> You're right but I do not understand why it fails only with
> PostgreSQL.
Perhaps one of the pile of random libraries we include is supplying a
broken version of getpwuid?
I concur with the suggestion to try strace'ing to compare PG's behavior
to something that works (such as ls).
regards, tom lane
On Thu, Mar 03, 2005 at 01:20:35PM +0100, Florian Pflug <fgp@phlo.org> wrote a message of 47 lines which said: > Seems so.. you could try to start the postmaster via strace -f, and > capture the log ... > Then try to connect, and see what happens - you should see the > postmaster open your pam_ldap.conf, and then try to connect to your > ldap server. Well, the easiest way was to 'tail -f' the LDAP server's log. I can see that PostgreSQL, indeed, calls getpwuid and tries to find LDAP's "uid" (the user name): Mar 8 10:23:24 eve slapd[586]: conn=38854 op=1 SRCH base="ou=People,dc=eureg,dc=eu" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=1011))" Mar 8 10:23:24 eve slapd[586]: conn=38854 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShellgecos description objectClass Strangely enough, everything works now. The only thing I see is that the machine rebooted two days ago. :-( Thanks for those who searched and sorry for leading them on the wrong track.