Thread: PostgreSQL and OpenLdap
Hi Friends, This is my first post in the list. I am not obtaining authentication my users of PostgreSQL in OpenLdap. 1) PostgreSQL was compiled with the support to ldap in a FreeBSD System. "option --with-ldap for configure". 2) The user also exists in the base of the OpenLdap 3) Already I also added the line of configuration in "pg_hba.conf" and in the "pg_service.conf" $ tail /etc/pg_service.conf ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br $ cat /usr/local/pgsql/data/pg_hba.conf local all all trust host all all 10.193.4.0/24 md5 ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br 4) To create the usuary I make thus # su - pgsql % createuser scott After the made configurations, I try to effect login and is error of password. remote# psql postgresql -h server -U scott -W psql: FATAL: password authentication failed for user "scott" It will be that somebody could help me, "I am making something incorrect !!!" http://www.postgresql.org/docs/current/interactive/libpq-ldap.html Thanks Cris.
On Sun, Feb 11, 2007 at 08:54:56PM -0200, Cristiano Panvel wrote: > Hi Friends, > > This is my first post in the list. > > I am not obtaining authentication my users of PostgreSQL in OpenLdap. > > 1) PostgreSQL was compiled with the support to ldap in a FreeBSD System. > "option --with-ldap for configure". > > 2) The user also exists in the base of the OpenLdap > > 3) Already I also added the line of configuration in "pg_hba.conf" and > in the "pg_service.conf" > > $ tail /etc/pg_service.conf > ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br This is not for LDAP authentication, it's for service lookup only. If you just want LADP auth, you can get rid of it. If you want both, I'd suggest doing one thing at a time - get rid of it for now until auth works, then put it back in later. > $ cat /usr/local/pgsql/data/pg_hba.conf > > local all all trust > > host all all 10.193.4.0/24 md5 > > ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br I assume this is all on one line. In which case it's incorrect - you can't have both md5 and ldap on teh same line. It should be: host all all 10.193.4.0/24 ldap ldap://.... > 4) To create the usuary I make thus > > # su - pgsql > % createuser scott > > After the made configurations, I try to effect login and is error of > password. > > remote# psql postgresql -h server -U scott -W > psql: FATAL: password authentication failed for user "scott" > What you really need to look at here is the server logs, not the client output. It should tell you what it's trying to do (in your case, it would indicate that it's not trying to do LDAP) and how its' failing. //Magnus
Thanks Magnus, Now I am passing the line thus pg_hba.conf ## host all all 10.193.4.0/24 ldap ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br ## However error in login is occurring % psql postgresql -h server -U scott -W psql: FATAL: LDAP authentication failed for user "scott" I must pass plus some thing. My base Ldap: dc=cb,dc=sc,dc=gov,dc=br The Bind: ou=Users Cris. On 2/12/07, Magnus Hagander <magnus@hagander.net> wrote: > On Sun, Feb 11, 2007 at 08:54:56PM -0200, Cristiano Panvel wrote: > > Hi Friends, > > > > This is my first post in the list. > > > > I am not obtaining authentication my users of PostgreSQL in OpenLdap. > > > > 1) PostgreSQL was compiled with the support to ldap in a FreeBSD System. > > "option --with-ldap for configure". > > > > 2) The user also exists in the base of the OpenLdap > > > > 3) Already I also added the line of configuration in "pg_hba.conf" and > > in the "pg_service.conf" > > > > $ tail /etc/pg_service.conf > > ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br > > This is not for LDAP authentication, it's for service lookup only. If > you just want LADP auth, you can get rid of it. If you want both, I'd > suggest doing one thing at a time - get rid of it for now until auth > works, then put it back in later. > > > $ cat /usr/local/pgsql/data/pg_hba.conf > > > > local all all trust > > > > host all all 10.193.4.0/24 md5 > > > > ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br > > I assume this is all on one line. In which case it's incorrect - you > can't have both md5 and ldap on teh same line. It should be: > host all all 10.193.4.0/24 ldap ldap://.... > > > > 4) To create the usuary I make thus > > > > # su - pgsql > > % createuser scott > > > > After the made configurations, I try to effect login and is error of > > password. > > > > remote# psql postgresql -h server -U scott -W > > psql: FATAL: password authentication failed for user "scott" > > > > What you really need to look at here is the server logs, not the client > output. It should tell you what it's trying to do (in your case, it > would indicate that it's not trying to do LDAP) and how its' failing. > > //Magnus >
On Mon, Feb 12, 2007 at 09:41:44PM -0200, Cristiano Panvel wrote: > Thanks Magnus, > > Now I am passing the line thus pg_hba.conf > > ## > host all all 10.193.4.0/24 ldap > ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br > ## > > However error in login is occurring > > % psql postgresql -h server -U scott -W > psql: FATAL: LDAP authentication failed for user "scott" That's one step further. Now is the time you need to check the server log. > I must pass plus some thing. > > My base Ldap: > dc=cb,dc=sc,dc=gov,dc=br > > The Bind: > ou=Users Uh, you want to bind as an OU? That's not really possible? Or do you mean that your actual bind shuold be as something like cn=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br? If so, try something like ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;;ou=users, (note the double semicolons - the first one is for the prefix, the second one for suffix) But to re-iterate, your server log shuold contain more information about the problem. //Magnus
I am not trying thus passed the usuary, and this users does not function is active and functioned in the OpenLdap. ldap ldap://ldap.cb.sc.gov.br/uid=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br something is very strange Cris. On 2/13/07, Magnus Hagander <magnus@hagander.net> wrote: > On Mon, Feb 12, 2007 at 09:41:44PM -0200, Cristiano Panvel wrote: > > Thanks Magnus, > > > > Now I am passing the line thus pg_hba.conf > > > > ## > > host all all 10.193.4.0/24 ldap > > ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br > > ## > > > > However error in login is occurring > > > > % psql postgresql -h server -U scott -W > > psql: FATAL: LDAP authentication failed for user "scott" > > That's one step further. Now is the time you need to check the server > log. > > > I must pass plus some thing. > > > > My base Ldap: > > dc=cb,dc=sc,dc=gov,dc=br > > > > The Bind: > > ou=Users > > Uh, you want to bind as an OU? That's not really possible? Or do you > mean that your actual bind shuold be as something like > cn=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br? If so, try something like > ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;;ou=users, > > (note the double semicolons - the first one is for the prefix, the > second one for suffix) > > But to re-iterate, your server log shuold contain more information about > the problem. > > //Magnus >
Fisrt, you still have not shown us the output in the server log. That is still where you will see more information about why it's failing. Second, if that's what you want, you should probably try: ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;uid=;ou=users, Or something along that line. //Magnus On Tue, Feb 13, 2007 at 11:49:54AM -0200, Cristiano Panvel wrote: > I am not trying thus passed the usuary, and this users does not > function is active and functioned in the OpenLdap. > > ldap ldap://ldap.cb.sc.gov.br/uid=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br > > something is very strange > > Cris. > > On 2/13/07, Magnus Hagander <magnus@hagander.net> wrote: > >On Mon, Feb 12, 2007 at 09:41:44PM -0200, Cristiano Panvel wrote: > >> Thanks Magnus, > >> > >> Now I am passing the line thus pg_hba.conf > >> > >> ## > >> host all all 10.193.4.0/24 ldap > >> ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br > >> ## > >> > >> However error in login is occurring > >> > >> % psql postgresql -h server -U scott -W > >> psql: FATAL: LDAP authentication failed for user "scott" > > > >That's one step further. Now is the time you need to check the server > >log. > > > >> I must pass plus some thing. > >> > >> My base Ldap: > >> dc=cb,dc=sc,dc=gov,dc=br > >> > >> The Bind: > >> ou=Users > > > >Uh, you want to bind as an OU? That's not really possible? Or do you > >mean that your actual bind shuold be as something like > >cn=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br? If so, try something like > >ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;;ou=users, > > > >(note the double semicolons - the first one is for the prefix, the > >second one for suffix) > > > >But to re-iterate, your server log shuold contain more information about > >the problem. > > > >//Magnus > > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: don't forget to increase your free space map settings
It does not appear nothing in log, only in /var/log/message the error of failed in login. Feb 13 12:04:16 fns4 postgres[7055]: [4-1] FATAL: LDAP authentication failed for user "scott" Feb 13 12:04:20 fns4 postgres[7056]: [4-1] FATAL: LDAP authentication failed for user "scott" Feb 13 12:04:20 fns4 postgres[7057]: [4-1] FATAL: LDAP authentication failed for user "scott" Feb 13 12:45:57 fns4 postgres[7216]: [4-1] FATAL: LDAP authentication failed for user "sflo" Feb 13 12:46:10 fns4 postgres[7223]: [4-1] FATAL: LDAP authentication failed for user "dbadm" Cris. On 2/13/07, Magnus Hagander <magnus@hagander.net> wrote: > Fisrt, you still have not shown us the output in the server log. That > is still where you will see more information about why it's failing. > > Second, if that's what you want, you should probably try: > ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;uid=;ou=users, > > Or something along that line. > > //Magnus > > On Tue, Feb 13, 2007 at 11:49:54AM -0200, Cristiano Panvel wrote: > > I am not trying thus passed the usuary, and this users does not > > function is active and functioned in the OpenLdap. > > > > ldap ldap://ldap.cb.sc.gov.br/uid=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br > > > > something is very strange > > > > Cris. > > > > On 2/13/07, Magnus Hagander <magnus@hagander.net> wrote: > > >On Mon, Feb 12, 2007 at 09:41:44PM -0200, Cristiano Panvel wrote: > > >> Thanks Magnus, > > >> > > >> Now I am passing the line thus pg_hba.conf > > >> > > >> ## > > >> host all all 10.193.4.0/24 ldap > > >> ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br > > >> ## > > >> > > >> However error in login is occurring > > >> > > >> % psql postgresql -h server -U scott -W > > >> psql: FATAL: LDAP authentication failed for user "scott" > > > > > >That's one step further. Now is the time you need to check the server > > >log. > > > > > >> I must pass plus some thing. > > >> > > >> My base Ldap: > > >> dc=cb,dc=sc,dc=gov,dc=br > > >> > > >> The Bind: > > >> ou=Users > > > > > >Uh, you want to bind as an OU? That's not really possible? Or do you > > >mean that your actual bind shuold be as something like > > >cn=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br? If so, try something like > > >ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;;ou=users, > > > > > >(note the double semicolons - the first one is for the prefix, the > > >second one for suffix) > > > > > >But to re-iterate, your server log shuold contain more information about > > >the problem. > > > > > >//Magnus > > > > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 5: don't forget to increase your free space map settings >
Cristiano Panvel wrote: > It does not appear nothing in log, only in /var/log/message the error > of failed in login. > > Feb 13 12:04:16 fns4 postgres[7055]: [4-1] FATAL: LDAP authentication > failed for user "scott" > Feb 13 12:04:20 fns4 postgres[7056]: [4-1] FATAL: LDAP authentication > failed for user "scott" > Feb 13 12:04:20 fns4 postgres[7057]: [4-1] FATAL: LDAP authentication > failed for user "scott" > Feb 13 12:45:57 fns4 postgres[7216]: [4-1] FATAL: LDAP authentication > failed for user "sflo" > Feb 13 12:46:10 fns4 postgres[7223]: [4-1] FATAL: LDAP authentication > failed for user "dbadm" There definitely should be more than that. Note however that most of these things are not classified as errors, so they are logged at LOG level. It may be that you're filtering so you're not showing LOG level information, or perhaps your syslogd is configured to write them to a different file. AFAICS, the only code-path that does not log *why* it rejected the authentication is the case when the client refuses to send a password. //Magnus