Thread: Secured ldap connectivity between PostgreSQL and LDAPs server
Hi All,
We are using LDAP authentication for authenticating users in PostgreSQL on Linux server and we are able to authenticate successfully.
However we want to configure secured LDAP (LDAPS) by using Certificates.
Please help me i have couple of questions to configuring LDAPS.
1. Which location we need to keep the LDAPs Certificate files in PostgreSQL Linux server ?.
2. Do we need to change any configuration file for certificate references on Linux server ? .
2. What need to be changed in Postgresql.conf file and pg_hba.conf file ?
Thanks
Chiru
On Fri, 2017-12-08 at 07:40 -0500, chiru r wrote: > We are using LDAP authentication for authenticating users in > PostgreSQL on Linux server and we are able to authenticate > successfully. Then one presumes you are using PAM (?) for password authentication - this question is really about pam_ldap, it is not specific to PostgreSQL in any way. > Please help me i have couple of questions to configuring LDAPS. > 1. Which location we need to keep the LDAPs Certificate files in > PostgreSQL Linux server ?. > 2. Do we need to change any configuration file for certificate > references on Linux server ? . The server should be configured to recognize certificates signed by whatever authority you are using - where they go to do that depends on your distribution. Usually that involves putting the signing certificate somewhere like /usr/share/pki/ca-trust-source/anchors/ and running "update-ca-trust". If your server already recognizes your CA you don't need to do anything other than changing PAM to use LDAPS. > 2. What need to be changed in Postgresql.conf file and pg_hba.conf > file ? Nothing, PostgreSQL just calls the PAM library. It does not care what happens beneath that. -- Meetings Coordinator, Michigan Association of Railroad Passengers 537 Shirley St NE Grand Rapids, MI 49503-1754 Phone: 616.581.8010 E-mail: awilliam@whitemice.org GPG#D95ED383 Web: http://www.marp.org
Greetings Chiru, Adam, * chiru r (chirupg@gmail.com) wrote: > We are using LDAP authentication for authenticating users in PostgreSQL on > Linux server and we are able to authenticate successfully. What LDAP server are you connecting to for authentication..? If you're using Active Directory then you really should be using Kerberos/GSSAPI, not LDAP (or LDAPS). With LDAP-based authentication, the user's password is sent in cleartext (or tunneled cleartext if you're using SSL) and then used by the server to try to validate the user in LDAP. That's much worse from a security perspective than using Kerberos/GSSAPI and in an AD environment, Kerberos is already set up and available. > However we want to configure secured LDAP (LDAPS) by using Certificates. Are you looking to have client-side certificates, or do you just want to validate the LDAP server's certificate? > Please help me i have couple of questions to configuring LDAPS. > > 1. Which location we need to keep the LDAPs Certificate files in PostgreSQL > Linux server ?. On Linux, PostgreSQL will be using ldap_start_tls_s() if you have ldaptls=1 and then it's up to the LDAP library you've built your PostgreSQL server against how to deal with anything further. Most likely this is OpenLDAP and it'll be built against OpenSSL or GNUTLS and you'll have some system-wide certificate store which you can place the CA's certificate into (eg: /etc/ssl). > 2. Do we need to change any configuration file for certificate references > on Linux server ? . Not likely. If you do, though, it'd be in either the configuration for OpenLDAP or for the SSL library it's built against (as installed on your system). > 2. What need to be changed in Postgresql.conf file and pg_hba.conf file ? ldaptls=1 is the main thing to get PG to use ldap_start_tls_s(). * Adam Tauno Williams (awilliam@whitemice.org) wrote: > On Fri, 2017-12-08 at 07:40 -0500, chiru r wrote: > > We are using LDAP authentication for authenticating users in > > PostgreSQL on Linux server and we are able to authenticate > > successfully. > > Then one presumes you are using PAM (?) for password authentication - > this question is really about pam_ldap, it is not specific to > PostgreSQL in any way. I'm not sure why you're thinking this involves PAM at all, PostgreSQL supports the ability to authenticate users against an LDAP directory directly. Not that it's a good idea, because it isn't, as discussed above. pam_ldap *could* be used, but definitely my assumption going in here is that the pg_hba.conf has been configured to use the 'ldap' auth method, not the 'pam' auth method. Hopefully that's the case, or most of what I've gone through here isn't accurate and we'd have to get into talking about PAM. ;) > > Please help me i have couple of questions to configuring LDAPS. > > 1. Which location we need to keep the LDAPs Certificate files in > > PostgreSQL Linux server ?. > > 2. Do we need to change any configuration file for certificate > > references on Linux server ? . > > The server should be configured to recognize certificates signed by > whatever authority you are using - where they go to do that depends on > your distribution. Usually that involves putting the signing > certificate somewhere like /usr/share/pki/ca-trust-source/anchors/ and > running "update-ca-trust". If your server already recognizes your CA > you don't need to do anything other than changing PAM to use LDAPS. Right, though this will depend on the specific Linux distribution, of course. > > 2. What need to be changed in Postgresql.conf file and pg_hba.conf > > file ? > > Nothing, PostgreSQL just calls the PAM library. It does not care what > happens beneath that. PostgreSQL calls into the OpenLDAP library, as discussed above, at least when the 'ldap' auth method is being used. Thanks! Stephen