Thread: pgSql authentication problem with openLdap

pgSql authentication problem with openLdap

From
sandiphw
Date:
We have installed postgresql 8.1.11 in CentOS, also installed openLdap
2.3.27. I have tried a lot to authenticate the user against ldap but
couldn't succeed. Can anyone pl help me out?

I have added the following entry in pg_hba.conf

host  all  all  202.18.10.0/24
ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people

My ldap server ip is 202.18.10.1
     domain is abc.net
     all users are under ou=People,dc=abc,dc=net


Though I have found few discussions about the same issues and bugs, but
couldn't fix my problem.


--
View this message in context: http://www.nabble.com/pgSql-authentication-problem-with-openLdap-tp23021809p23021809.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.


Re: pgSql authentication problem with openLdap

From
sandiphw
Date:
Sorry, forget to mention the log message of pgsql:

invalid entry in the file pg_hba.conf at line 82, token "ldap://202......
"
fatal: missing of erroneous pg_hba.conf file
--
View this message in context: http://www.nabble.com/pgSql-authentication-problem-with-openLdap-tp23021809p23021943.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.


Re: pgSql authentication problem with openLdap

From
Raymond O'Donnell
Date:
On 13/04/2009 13:49, sandiphw wrote:

> invalid entry in the file pg_hba.conf at line 82, token "ldap://202......
> "
> fatal: missing of erroneous pg_hba.conf file

Have you got double-quotes around the entry in ph_hba.conf? According to
the docs, it's a good idea to do that.

http://www.postgresql.org/docs/8.3/static/auth-methods.html#AUTH-LDAP

Ray.

------------------------------------------------------------------
Raymond O'Donnell, Director of Music, Galway Cathedral, Ireland
rod@iol.ie
Galway Cathedral Recitals: http://www.galwaycathedral.org/recitals
------------------------------------------------------------------

Re: pgSql authentication problem with openLdap

From
sandiphw
Date:
I have tried all possible variation of syntax I can imagine, like

host  all  all  202.18.10.0/24
ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people
host  all  all  202.18.10.0/24   ldap
ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people
host  all  all  202.18.10.0/24
"ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people"
host  all  all  202.18.10.0/24
ldap://202.18.10.1:389/dc=abc,dc=net;cn=;,dc=holtecnet,dc=com

But all shows the same error in postgresql log.

I must be doing some basic syntax error. Is anybody get it working?



--
View this message in context: http://www.nabble.com/pgSql-authentication-problem-with-openLdap-tp23021809p23038518.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.


Re: pgSql authentication problem with openLdap

From
Raymond O'Donnell
Date:
On 14/04/2009 13:28, sandiphw wrote:
> host  all  all  202.18.10.0/24
> "ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people"

I don't know anything about LDAP, I'm only scanning the PG docs, but
this version is missing the "ldap" method. It should be:

  host  all  all  202.18.10.0/24  ldap  "ldap://....(etc)..."

Also, is it really on two lines in your pg_hba.conf, or is this just
your mail client (or maybe mine) wrapping it? Records must be on a
single line each.

Did you remember to SIGHUP the server after changing pg_hba.conf?

Finally, is it possible that something somewhere else in the file is
broken? Try commenting out everything except -

    host   all   all   127.0.0.1/32   md5

- and see if you can connect locally. If that works, re-introduce other
records one by one till you find the offender.

Ray.

------------------------------------------------------------------
Raymond O'Donnell, Director of Music, Galway Cathedral, Ireland
rod@iol.ie
Galway Cathedral Recitals: http://www.galwaycathedral.org/recitals
------------------------------------------------------------------

Re: pgSql authentication problem with openLdap

From
Scott Mead
Date:

On Tue, Apr 14, 2009 at 8:28 AM, sandiphw <sandiphw@hotmail.com> wrote:

I have tried all possible variation of syntax I can imagine, like
ldap://202.18.10.1:389/dc=abc,dc=net;cn=;,dc=holtecnet,dc=com

host all all <blah>  ldap "ldap://server:389/ou=People,dc=example,dc=com;uid=;,ou=People,dc=example,dc=com"


It's very important to have the:

  ...;uid=;,ou=People,dc=example,dc=com

  Postgres is not automatically pre-pending the attribute name and it's not appending the basedn.  Also note... the comma before the basedn.  If you don't have that their, it won't work.

After that, login to the database as superuser and type:

  create user <usernamefromldap>

  You can't login to pg via ldap unless you have created the user in the db first.

   If that doesn't work, check your ldap server logs.  Also, is this really openLDAP or  AD? I've seen wackiness with AD even though openLdap was working with the same basic schema.

--Scott

Re: pgSql authentication problem with openLdap

From
Dave Page
Date:
On Tue, Apr 14, 2009 at 1:28 PM, sandiphw <sandiphw@hotmail.com> wrote:
>
> I have tried all possible variation of syntax I can imagine, like
>
> host  all  all  202.18.10.0/24
> ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people
> host  all  all  202.18.10.0/24   ldap
> ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people
> host  all  all  202.18.10.0/24
> "ldap://202.18.10.1:389/dc=abc,dc=net;;ou=people"
> host  all  all  202.18.10.0/24
> ldap://202.18.10.1:389/dc=abc,dc=net;cn=;,dc=holtecnet,dc=com
>
> But all shows the same error in postgresql log.
>
> I must be doing some basic syntax error. Is anybody get it working?

I had cause to test LDAP auth the other day. This is the pg_hba.conf
line I used:

host all all 172.24.32.0/24 ldap
"ldap://ldap.ox.uk.enterprisedb.com/dc=enterprisedb,dc=com;uid=;,ou=People,dc=enterprisedb,dc=com"

It took me an embarrassing amount of time to get it right though - I
missed the leading comma on the suffix :-)

I see you are using 8.1.11 though - first, if you are using 8.1, it
should be 8.1.17. Second, ldap auth support was added in 8.2 which
explains the syntax error. I would grab 8.3.7 and use that.

--
Dave Page
EnterpriseDB UK:   http://www.enterprisedb.com

Re: pgSql authentication problem with openLdap

From
sandiphw
Date:
Thanks you all for your helps. Finally I have updated to 8.3.7 version and
and able to get it worked with openldap with the following directives as you
suggested:

host all all 202.18.10.0/24  ldap
ldap://202.18.10.1:389/ou=People,dc=example,dc=com;uid=;,ou=People,dc=example,dc=com"


--
View this message in context: http://www.nabble.com/pgSql-authentication-problem-with-openLdap-tp23021809p23077697.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.