Thread: LDAP authentication not working
Hi, I'm running postgresql 9.1 on Debian and am trying to set up LDAP authentication using the following configuration in pg_hba.conf: hostssl testdb all 143.50.203.0/24 ldap ldapserver="wegc24.uni-graz.at" ldapport=636 ldapbinddn="cn=nss,dc=uni-graz,dc=at" ldapbindpasswd="<thepasswd>" ldapbasedn="dc=uni-graz,dc=at" Trying to access testdb via psql fails with the following error in the log: '''could not perform initial LDAP bind for ldapbinddn "cn=nss,dc=uni-graz,dc=at" on server "wegc24.uni-graz.at": error code -1''' Unfortunately I did not find what error code -1 means. Ldapsearch works fine: > ldapsearch -W -H ldaps://wegc24.uni-graz.at:636/ -D "CN=nss,DC=uni-graz,DC=at" Interesting is also, that postgres seems to not even reach the ldap server: If I change parameter ldapserver to a non-existing url it gives the same error code -1. Any help much appreciated! Best, Juergen
Attachment
I don't think SSL support for LDAP is supported. Have you tried TLS on port 389?
Hi,
I'm running postgresql 9.1 on Debian and am trying to set up LDAP
authentication using the following configuration in pg_hba.conf:
hostssl testdb all 143.50.203.0/24 ldap ldapserver="wegc24.uni-graz.at"
ldapport=636 ldapbinddn="cn=nss,dc=uni-graz,dc=at"
ldapbindpasswd="<thepasswd>" ldapbasedn="dc=uni-graz,dc=at"
Trying to access testdb via psql fails with the following error in the log:
'''could not perform initial LDAP bind for ldapbinddn
"cn=nss,dc=uni-graz,dc=at" on server "wegc24.uni-graz.at": error code -1'''
Unfortunately I did not find what error code -1 means.
Ldapsearch works fine:
> ldapsearch -W -H ldaps://wegc24.uni-graz.at:636/ -D
"CN=nss,DC=uni-graz,DC=at"
Interesting is also, that postgres seems to not even reach the ldap
server: If I change parameter ldapserver to a non-existing url it gives
the same error code -1.
Any help much appreciated!
Best,
Juergen
I don't think SSL support for LDAP is supported. Have you tried TLS on port 389?
On May 13, 2014 8:20 PM, "Jürgen Fuchsberger" <juergen.fuchsberger@uni-graz.at> wrote:Hi,
I'm running postgresql 9.1 on Debian and am trying to set up LDAP
authentication using the following configuration in pg_hba.conf:
hostssl testdb all 143.50.203.0/24 ldap ldapserver="wegc24.uni-graz.at"
ldapport=636 ldapbinddn="cn=nss,dc=uni-graz,dc=at"
ldapbindpasswd="<thepasswd>" ldapbasedn="dc=uni-graz,dc=at"
Trying to access testdb via psql fails with the following error in the log:
'''could not perform initial LDAP bind for ldapbinddn
"cn=nss,dc=uni-graz,dc=at" on server "wegc24.uni-graz.at": error code -1'''
Unfortunately I did not find what error code -1 means.
Ldapsearch works fine:
> ldapsearch -W -H ldaps://wegc24.uni-graz.at:636/ -D
"CN=nss,DC=uni-graz,DC=at"
Interesting is also, that postgres seems to not even reach the ldap
server: If I change parameter ldapserver to a non-existing url it gives
the same error code -1.
Any help much appreciated!
Best,
Juergen
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On 05/14/2014 09:10 AM, Magnus Hagander wrote:
> On Wed, May 14, 2014 at 8:35 AM, Stephan Fabel <sfabel@hawaii.edu> <mailto:sfabel@hawaii.edu>> wrote:Thanks for the hint, no wonder it does not work. Unfortunately this info
>
> I don't think SSL support for LDAP is supported. Have you tried TLS
> on port 389?
>
is not in the postgres documentation.
>This does not work with our LDAP server (seems it is not configured to
> Correct, and you need to set ldaptls=1 to use that as well.
support TLS)
Any idea whether LDAP over SSL will be supported in future postgres
releases?
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On May 14, 2014 12:56 AM, "Magnus Hagander" <magnus@hagander.net> wrote:
>
> On Wed, May 14, 2014 at 11:48 AM, Jürgen Fuchsberger <juergen.fuchsberger@uni-graz.at> wrote:
>>
>>
>>
>> On 05/14/2014 09:10 AM, Magnus Hagander wrote:
>> > On Wed, May 14, 2014 at 8:35 AM, Stephan Fabel <sfabel@hawaii.edu
>> > <mailto:sfabel@hawaii.edu>> wrote:
>> >
>> > I don't think SSL support for LDAP is supported. Have you tried TLS
>> > on port 389?
>> >
>> Thanks for the hint, no wonder it does not work. Unfortunately this info
>> is not in the postgres documentation.
>
>
> It is - indirectly, in the ldapurl documentation. "To use encrypted LDAP connections, the ldaptls option has to be used in addition to ldapurl. The ldaps URL scheme (direct SSL connection) is not supported."
In the documentation for 9.1 ldapurl is not mentioned. That's what the OP is using.
>> This does not work with our LDAP server (seems it is not configured to
>> support TLS)
>
> That's strangely configured. The LDAP TLS support (in the protocol) is the standardized one, and the "SSL wrapper" mode is not in the standard.
Enabling TLS on OpenLDAP is trivial, especially if you have SSL enabled already. Ask your SysAdmin.
> I *think* the "SSL wrapper" really is just that - wrap it in a standard SSL connection. In which case it might work if you set up stunnel or something like that to proxy the connection for you.
That would work, but it shouldn't be necessary. Just enable TLS in OpenLDAP.
>> Any idea whether LDAP over SSL will be supported in future postgres
>> releases?
>
> I am not aware of any such plans, but if you (or somebody else) is willing to write a patch, I don't see a reason it would be rejected. Even though it's non-standard, it's fairly widespread. I recall there being a reason it wasn't added in the first place, but I don't recall what it was.
>
I agree that it would be nice to support the LDAPS scheme in PostgreSQL as well.
-Stephan
> -------- Original Message -------- > Subject: Re: [GENERAL] LDAP authentication not working > Resent-From: <juergen.fuchsberger@uni-graz.at> > Date: Wed, 14 May 2014 06:47:45 -1000 > From: Stephan Fabel <sfabel@hawaii.edu> > To: Magnus Hagander <magnus@hagander.net> > CC: Postgres List <pgsql-general@postgresql.org>, Jürgen Fuchsberger > <juergen.fuchsberger@uni-graz.at> > > > > On May 14, 2014 12:56 AM, "Magnus Hagander" <magnus@hagander.net > <mailto:magnus@hagander.net>> wrote: >> On Wed, May 14, 2014 at 11:48 AM, Jürgen Fuchsberger > <juergen.fuchsberger@uni-graz.at > <mailto:juergen.fuchsberger@uni-graz.at>> wrote: >>> >>> >>> On 05/14/2014 09:10 AM, Magnus Hagander wrote: >>>> On Wed, May 14, 2014 at 8:35 AM, Stephan Fabel <sfabel@hawaii.edu > <mailto:sfabel@hawaii.edu> >>>> <mailto:sfabel@hawaii.edu <mailto:sfabel@hawaii.edu>>> wrote: >>>> >>>> I don't think SSL support for LDAP is supported. Have you tried TLS >>>> on port 389? >>> This does not work with our LDAP server (seems it is not configured to >>> support TLS) > Enabling TLS on OpenLDAP is trivial, especially if you have SSL enabled > already. Ask your SysAdmin. > > I did - as far as he knows we can not use both at the same time. Juergen.