Thread: LDAP Authentication
Hi, I have a ldap group, "pgsql-developers". I have an user (user1) member of this group; group dn: cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x objectClass: groupOfUniqueNames objectClass: top cn: SVN Committers uniqueMember: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x user dn: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x objectClass: person objectClass: top objectClass: uidObject cn:: Denem1 sn:: Deneme2 uid: user1 userPassword:: e01ENX10WnhudnhscVIxZ1pIa0wzWm5ET3VnPT0= I added this line to pg_hba.conf [1] host all all 172.20.0.0/16 ldap "ldap://localhost/basedn;cn=;,cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x" But now postgresql requires my user1 must be define under cn=pgsql-developers,ou=Groups.. But I want to give login permission to pgsql-developers members. How can I change this line for give login permission to pgsql-developers members? [1] http://wiki.postgresql.org/wiki/LDAP_Authentication_against_AD
Taha Ozket wrote: > Hi, > > I have a ldap group, "pgsql-developers". I have an user (user1) member > of this group; > > group > dn: cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x > objectClass: groupOfUniqueNames > objectClass: top > cn: SVN Committers > uniqueMember: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x > > user > dn: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x > objectClass: person > objectClass: top > objectClass: uidObject > cn:: Denem1 > sn:: Deneme2 > uid: user1 > userPassword:: e01ENX10WnhudnhscVIxZ1pIa0wzWm5ET3VnPT0= > > I added this line to pg_hba.conf [1] > > host all all 172.20.0.0/16 ldap > "ldap://localhost/basedn;cn=;,cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x" > > But now postgresql requires my user1 must be define under > cn=pgsql-developers,ou=Groups.. But I want to give login permission to > pgsql-developers members. > > How can I change this line for give login permission to > pgsql-developers members? This is not something you currently can do. We can only do LDAP authentication, not authorization. There's no way to restrict it to a particular group. One way to accomplish what you're trying to do is to have a script that synchronizes the members of the group to PostgreSQL accounts (account name and role membership only), and still use LDAP for authentication. It doesn't work in every case, but it does work in most. //Magnus
On Sun, 2008-06-29 at 17:58 +0200, Magnus Hagander wrote: > This is not something you currently can do. We can only do LDAP > authentication, not authorization. There's no way to restrict it to a > particular group. We're very interested in this functionality (nss_ldap for PgSQL) -- so if there's a joint-development effort that we can contribute man-hours or development resources (challenge grant funding, hardware, etc.) to, let us know. ~BAS > One way to accomplish what you're trying to do is to have a script > that > synchronizes the members of the group to PostgreSQL accounts (account > name and role membership only), and still use LDAP for authentication. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader ofthis message is not an intended recipient (or the individual responsible for the delivery of this message to an intendedrecipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mailfrom your system.
2008-06-29_09:44:01-0400 Taha Ozket <tahaozket@gmail.com>: > I have a ldap group, "pgsql-developers". I have an user (user1) member > of this group; > ... > How can I change this line for give login permission to > pgsql-developers members? If you have pam available, you could do pam authentication, and configure pam_ldap to enforce group membership. -- Ron Peterson Network & Systems Manager Mount Holyoke College http://www.mtholyoke.edu/~rpeterso - I wish my computer would do what I want it to do - not what I tell it to do.
2008-07-03_21:17:50-0400 Ron Peterson <rpeterso@mtholyoke.edu>: > 2008-06-29_09:44:01-0400 Taha Ozket <tahaozket@gmail.com>: > > > I have a ldap group, "pgsql-developers". I have an user (user1) member > > of this group; > > ... > > How can I change this line for give login permission to > > pgsql-developers members? > > If you have pam available, you could do pam authentication, and > configure pam_ldap to enforce group membership. ps - FWIW, I typically make group membership an attribute of the user object itself, rather than maintain groups objects and user objects separately. Primarily because many apps aren't sophisticated enough to deal with having them separated. -- Ron Peterson Network & Systems Manager Mount Holyoke College http://www.mtholyoke.edu/~rpeterso - I wish my computer would do what I want it to do - not what I tell it to do.