Thread: LDAP Authentication

LDAP Authentication

From
"Taha Ozket"
Date:
Hi,

I have a ldap group, "pgsql-developers". I have an user (user1) member
of this group;

group
dn: cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x
objectClass: groupOfUniqueNames
objectClass: top
cn: SVN Committers
uniqueMember: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x

user
dn: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x
objectClass: person
objectClass: top
objectClass: uidObject
cn:: Denem1
sn:: Deneme2
uid: user1
userPassword:: e01ENX10WnhudnhscVIxZ1pIa0wzWm5ET3VnPT0=

I added this line to pg_hba.conf [1]

host         all         all             172.20.0.0/16         ldap
"ldap://localhost/basedn;cn=;,cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x"

But now postgresql requires my user1 must be define under
cn=pgsql-developers,ou=Groups.. But I want to give login permission to
pgsql-developers members.

How can I change this line for give login permission to
pgsql-developers members?

[1] http://wiki.postgresql.org/wiki/LDAP_Authentication_against_AD

Re: LDAP Authentication

From
Magnus Hagander
Date:
Taha Ozket wrote:
> Hi,
>
> I have a ldap group, "pgsql-developers". I have an user (user1) member
> of this group;
>
> group
> dn: cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x
> objectClass: groupOfUniqueNames
> objectClass: top
> cn: SVN Committers
> uniqueMember: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x
>
> user
> dn: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x
> objectClass: person
> objectClass: top
> objectClass: uidObject
> cn:: Denem1
> sn:: Deneme2
> uid: user1
> userPassword:: e01ENX10WnhudnhscVIxZ1pIa0wzWm5ET3VnPT0=
>
> I added this line to pg_hba.conf [1]
>
> host         all         all             172.20.0.0/16         ldap
> "ldap://localhost/basedn;cn=;,cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x"
>
> But now postgresql requires my user1 must be define under
> cn=pgsql-developers,ou=Groups.. But I want to give login permission to
> pgsql-developers members.
>
> How can I change this line for give login permission to
> pgsql-developers members?

This is not something you currently can do. We can only do LDAP
authentication, not authorization. There's no way to restrict it to a
particular group.

One way to accomplish what you're trying to do is to have a script that
synchronizes the members of the group to PostgreSQL accounts (account
name and role membership only), and still use LDAP for authentication.
It doesn't work in every case, but it does work in most.

//Magnus

Re: LDAP Authentication

From
"Brian A. Seklecki (Mobile)"
Date:
On Sun, 2008-06-29 at 17:58 +0200, Magnus Hagander wrote:
> This is not something you currently can do. We can only do LDAP
> authentication, not authorization. There's no way to restrict it to a
> particular group.

We're very interested in this functionality (nss_ldap for PgSQL) -- so
if there's a joint-development effort that we can contribute man-hours
or development resources (challenge grant funding, hardware, etc.) to,
let us know.

~BAS

> One way to accomplish what you're trying to do is to have a script
> that
> synchronizes the members of the group to PostgreSQL accounts (account
> name and role membership only), and still use LDAP for authentication.




IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader
ofthis message is not an intended recipient (or the individual responsible for the delivery of this message to an
intendedrecipient), please be advised that any re-use, dissemination, distribution or copying of this message is
prohibited.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this
e-mailfrom your system. 



Re: LDAP Authentication

From
Ron Peterson
Date:
2008-06-29_09:44:01-0400 Taha Ozket <tahaozket@gmail.com>:

> I have a ldap group, "pgsql-developers". I have an user (user1) member
> of this group;
> ...
> How can I change this line for give login permission to
> pgsql-developers members?

If you have pam available, you could do pam authentication, and
configure pam_ldap to enforce group membership.

--
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
-
I wish my computer would do what I want it to do - not what I tell it to do.

Re: LDAP Authentication

From
Ron Peterson
Date:
2008-07-03_21:17:50-0400 Ron Peterson <rpeterso@mtholyoke.edu>:
> 2008-06-29_09:44:01-0400 Taha Ozket <tahaozket@gmail.com>:
>
> > I have a ldap group, "pgsql-developers". I have an user (user1) member
> > of this group;
> > ...
> > How can I change this line for give login permission to
> > pgsql-developers members?
>
> If you have pam available, you could do pam authentication, and
> configure pam_ldap to enforce group membership.

ps - FWIW, I typically make group membership an attribute of the user
object itself, rather than maintain groups objects and user objects
separately.  Primarily because many apps aren't sophisticated enough to
deal with having them separated.

--
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
-
I wish my computer would do what I want it to do - not what I tell it to do.