Thread: pgSql authentication problem with openLdap
We have installed postgresql 8.1.11 in CentOS, also installed openLdap
2.3.27. I have tried a lot to authenticate the user against ldap but
couldn't succeed. Can anyone pl help me out?
I have added the following entry in pg_hba.conf
host all all 202.18.10.0/24
ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people
My ldap server ip is 202.18.10.1
domain is abc.net
all users are under ou=People,dc=abc,dc=net
Though I have found few discussions about the same issues and bugs, but
couldn't fix my problem.
--
View this message in context: http://www.nabble.com/pgSql-authentication-problem-with-openLdap-tp23021809p23021809.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.
Sorry, forget to mention the log message of pgsql: invalid entry in the file pg_hba.conf at line 82, token "ldap://202...... " fatal: missing of erroneous pg_hba.conf file -- View this message in context: http://www.nabble.com/pgSql-authentication-problem-with-openLdap-tp23021809p23021943.html Sent from the PostgreSQL - general mailing list archive at Nabble.com.
On 13/04/2009 13:49, sandiphw wrote: > invalid entry in the file pg_hba.conf at line 82, token "ldap://202...... > " > fatal: missing of erroneous pg_hba.conf file Have you got double-quotes around the entry in ph_hba.conf? According to the docs, it's a good idea to do that. http://www.postgresql.org/docs/8.3/static/auth-methods.html#AUTH-LDAP Ray. ------------------------------------------------------------------ Raymond O'Donnell, Director of Music, Galway Cathedral, Ireland rod@iol.ie Galway Cathedral Recitals: http://www.galwaycathedral.org/recitals ------------------------------------------------------------------
I have tried all possible variation of syntax I can imagine, like host all all 202.18.10.0/24 ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people host all all 202.18.10.0/24 ldap ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people host all all 202.18.10.0/24 "ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people" host all all 202.18.10.0/24 ldap://202.18.10.1:389/dc=abc,dc=net;cn=;,dc=holtecnet,dc=com But all shows the same error in postgresql log. I must be doing some basic syntax error. Is anybody get it working? -- View this message in context: http://www.nabble.com/pgSql-authentication-problem-with-openLdap-tp23021809p23038518.html Sent from the PostgreSQL - general mailing list archive at Nabble.com.
On 14/04/2009 13:28, sandiphw wrote:
> host all all 202.18.10.0/24
> "ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people"
I don't know anything about LDAP, I'm only scanning the PG docs, but
this version is missing the "ldap" method. It should be:
host all all 202.18.10.0/24 ldap "ldap://....(etc)..."
Also, is it really on two lines in your pg_hba.conf, or is this just
your mail client (or maybe mine) wrapping it? Records must be on a
single line each.
Did you remember to SIGHUP the server after changing pg_hba.conf?
Finally, is it possible that something somewhere else in the file is
broken? Try commenting out everything except -
host all all 127.0.0.1/32 md5
- and see if you can connect locally. If that works, re-introduce other
records one by one till you find the offender.
Ray.
------------------------------------------------------------------
Raymond O'Donnell, Director of Music, Galway Cathedral, Ireland
rod@iol.ie
Galway Cathedral Recitals: http://www.galwaycathedral.org/recitals
------------------------------------------------------------------
On Tue, Apr 14, 2009 at 8:28 AM, sandiphw <sandiphw@hotmail.com> wrote:
host all all <blah> ldap "ldap://server:389/ou=People,dc=example,dc=com;uid=;,ou=People,dc=example,dc=com"
It's very important to have the:
...;uid=;,ou=People,dc=example,dc=com
Postgres is not automatically pre-pending the attribute name and it's not appending the basedn. Also note... the comma before the basedn. If you don't have that their, it won't work.
After that, login to the database as superuser and type:
create user <usernamefromldap>
You can't login to pg via ldap unless you have created the user in the db first.
If that doesn't work, check your ldap server logs. Also, is this really openLDAP or AD? I've seen wackiness with AD even though openLdap was working with the same basic schema.
--Scott
I have tried all possible variation of syntax I can imagine, likeldap://202.18.10.1:389/dc=abc,dc=net;cn=;,dc=holtecnet,dc=com
host all all 202.18.10.0/24
ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people
host all all 202.18.10.0/24 ldap
ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people
host all all 202.18.10.0/24
"ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people"
host all all 202.18.10.0/24
host all all <blah> ldap "ldap://server:389/ou=People,dc=example,dc=com;uid=;,ou=People,dc=example,dc=com"
It's very important to have the:
...;uid=;,ou=People,dc=example,dc=com
Postgres is not automatically pre-pending the attribute name and it's not appending the basedn. Also note... the comma before the basedn. If you don't have that their, it won't work.
After that, login to the database as superuser and type:
create user <usernamefromldap>
You can't login to pg via ldap unless you have created the user in the db first.
If that doesn't work, check your ldap server logs. Also, is this really openLDAP or AD? I've seen wackiness with AD even though openLdap was working with the same basic schema.
--Scott
On Tue, Apr 14, 2009 at 1:28 PM, sandiphw <sandiphw@hotmail.com> wrote: > > I have tried all possible variation of syntax I can imagine, like > > host all all 202.18.10.0/24 > ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people > host all all 202.18.10.0/24 ldap > ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people > host all all 202.18.10.0/24 > "ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people" > host all all 202.18.10.0/24 > ldap://202.18.10.1:389/dc=abc,dc=net;cn=;,dc=holtecnet,dc=com > > But all shows the same error in postgresql log. > > I must be doing some basic syntax error. Is anybody get it working? I had cause to test LDAP auth the other day. This is the pg_hba.conf line I used: host all all 172.24.32.0/24 ldap "ldap://ldap.ox.uk.enterprisedb.com/dc=enterprisedb,dc=com;uid=;,ou=People,dc=enterprisedb,dc=com" It took me an embarrassing amount of time to get it right though - I missed the leading comma on the suffix :-) I see you are using 8.1.11 though - first, if you are using 8.1, it should be 8.1.17. Second, ldap auth support was added in 8.2 which explains the syntax error. I would grab 8.3.7 and use that. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com
Thanks you all for your helps. Finally I have updated to 8.3.7 version and and able to get it worked with openldap with the following directives as you suggested: host all all 202.18.10.0/24 ldap ldap://202.18.10.1:389/ou=People,dc=example,dc=com;uid=;,ou=People,dc=example,dc=com" -- View this message in context: http://www.nabble.com/pgSql-authentication-problem-with-openLdap-tp23021809p23077697.html Sent from the PostgreSQL - general mailing list archive at Nabble.com.