Thread: Multiple LDAP Servers for ldap Authentication
Hi,
I am going through ldap authentication documents in PostgreSQL and found that we can specify multiple ldap servers but sure how. I have put two entries in double quotes like below:
--
host all all 0.0.0.0/0 ldap ldapserver="server1.com server2.com" ldapprefix=PROD01\
There is no complain when reloading the pg_hba.conf file however when server1.com is down the connection just times out instead of trying server2. Does anybody have idea how to configure it or how to make this work.
Regards,
Virendra
This message is intended only for the use of the addressee and may contain
information that is PRIVILEGED AND CONFIDENTIAL.
If you are not the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please erase all copies of the message
and its attachments and notify the sender immediately. Thank you.
Hello Virendra
On 2018-Dec-20, Kumar, Virendra wrote:
> I am going through ldap authentication documents in PostgreSQL and found that we can specify multiple ldap servers
butsure how. I have put two entries in double quotes like below:
> --
> host all all 0.0.0.0/0 ldap ldapserver="server1.com server2.com"
ldapprefix=PROD01\
>
> There is no complain when reloading the pg_hba.conf file however when server1.com is down the connection just times
outinstead of trying server2. Does anybody have idea how to configure it or how to make this work.
Reading the server code, I find this rather surprising. The ldapserver
string is passed directly to ldap_init(), which per its manual should
use the multiple servers:
"The host parameter may contain a blank-separated list of hosts to try
to connect to, and each host may optionally by of the form
host:port."
( quoted from https://linux.die.net/man/3/ldap_init )
Maybe the library you have does not behave in the same way? It would be
good to confirm that the LDAP library you have is OpenLDAP and not
something else. Can you run an `ldd` on the postgres binary and see
what the output says about ldap?
--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
This is what I see:
--
[postgres@usdf24v0131 ~]$ which postgres
/opt/postgres/10/bin/postgres
[postgres@usdf24v0131 ~]$ ldd /opt/postgres/10/bin/postgres
linux-vdso.so.1 => (0x00007ffee3fe8000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f9a7f125000)
librt.so.1 => /lib64/librt.so.1 (0x00007f9a7ef1d000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f9a7ed19000)
libm.so.6 => /lib64/libm.so.6 (0x00007f9a7ea17000)
libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f9a7e7c2000)
libc.so.6 => /lib64/libc.so.6 (0x00007f9a7e3f5000)
/lib64/ld-linux-x86-64.so.2 (0x00007f9a7f341000)
liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f9a7e1e6000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f9a7dfcd000)
libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f9a7ddb0000)
libssl.so.10 => /lib64/libssl.so.10 (0x00007f9a7db3e000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f9a7d6dd000)
libssl3.so => /lib64/libssl3.so (0x00007f9a7d48b000)
libsmime3.so => /lib64/libsmime3.so (0x00007f9a7d264000)
libnss3.so => /lib64/libnss3.so (0x00007f9a7cf37000)
libnssutil3.so => /lib64/libnssutil3.so (0x00007f9a7cd08000)
libplds4.so => /lib64/libplds4.so (0x00007f9a7cb04000)
libplc4.so => /lib64/libplc4.so (0x00007f9a7c8ff000)
libnspr4.so => /lib64/libnspr4.so (0x00007f9a7c6c1000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f9a7c48a000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f9a7c23d000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f9a7bf54000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f9a7bd39000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f9a7bb35000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f9a7b926000)
libz.so.1 => /lib64/libz.so.1 (0x00007f9a7b710000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007f9a7b50d000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f9a7b309000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f9a7b0e2000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f9a7ae80000)
Regards,
Virendra
-----Original Message-----
From: Alvaro Herrera [mailto:alvherre@2ndquadrant.com]
Sent: Thursday, December 20, 2018 1:47 PM
To: Kumar, Virendra
Cc: pgsql-general@lists.postgresql.org
Subject: Re: Multiple LDAP Servers for ldap Authentication
Hello Virendra
On 2018-Dec-20, Kumar, Virendra wrote:
> I am going through ldap authentication documents in PostgreSQL and found that we can specify multiple ldap servers
butsure how. I have put two entries in double quotes like below:
> --
> host all all 0.0.0.0/0 ldap ldapserver="server1.com server2.com"
ldapprefix=PROD01\
>
> There is no complain when reloading the pg_hba.conf file however when server1.com is down the connection just times
outinstead of trying server2. Does anybody have idea how to configure it or how to make this work.
Reading the server code, I find this rather surprising. The ldapserver
string is passed directly to ldap_init(), which per its manual should
use the multiple servers:
"The host parameter may contain a blank-separated list of hosts to try
to connect to, and each host may optionally by of the form
host:port."
( quoted from https://linux.die.net/man/3/ldap_init )
Maybe the library you have does not behave in the same way? It would be
good to confirm that the LDAP library you have is OpenLDAP and not
something else. Can you run an `ldd` on the postgres binary and see
what the output says about ldap?
--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
________________________________
This message is intended only for the use of the addressee and may contain
information that is PRIVILEGED AND CONFIDENTIAL.
If you are not the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please erase all copies of the message
and its attachments and notify the sender immediately. Thank you.
On 2018-Dec-20, Kumar, Virendra wrote: > This is what I see: > -- > [postgres@usdf24v0131 ~]$ which postgres > /opt/postgres/10/bin/postgres > [postgres@usdf24v0131 ~]$ ldd /opt/postgres/10/bin/postgres > linux-vdso.so.1 => (0x00007ffee3fe8000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f9a7f125000) > librt.so.1 => /lib64/librt.so.1 (0x00007f9a7ef1d000) > libdl.so.2 => /lib64/libdl.so.2 (0x00007f9a7ed19000) > libm.so.6 => /lib64/libm.so.6 (0x00007f9a7ea17000) > libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f9a7e7c2000) I'm going to risk it and say that this is indeed OpenLDAP -- but you can confirm by doing this: rpm -qf /lib64/libldap-2.4.so.2 Anyway, little birdies tell me that OpenLDAP does not really live up to its own documentation, because this feature does not in fact work. -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On 2018-Dec-20, Kumar, Virendra wrote: > I am going through ldap authentication documents in PostgreSQL and found that we can specify multiple ldap servers butsure how. I have put two entries in double quotes like below: > -- > host all all 0.0.0.0/0 ldap ldapserver="server1.com server2.com" ldapprefix=PROD01\ Does it work if you change the string this way? ldapserver="server1.com, server2.com" -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Comman separated doesn't work as well. Regards, Virendra -----Original Message----- From: Alvaro Herrera [mailto:alvherre@2ndquadrant.com] Sent: Thursday, December 20, 2018 2:21 PM To: Kumar, Virendra Cc: pgsql-general@lists.postgresql.org Subject: Re: Multiple LDAP Servers for ldap Authentication On 2018-Dec-20, Kumar, Virendra wrote: > I am going through ldap authentication documents in PostgreSQL and found that we can specify multiple ldap servers butsure how. I have put two entries in double quotes like below: > -- > host all all 0.0.0.0/0 ldap ldapserver="server1.com server2.com" ldapprefix=PROD01\ Does it work if you change the string this way? ldapserver="server1.com, server2.com" -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services ________________________________ This message is intended only for the use of the addressee and may contain information that is PRIVILEGED AND CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately. Thank you.
[postgres@xxxxxxx ~]$ rpm -qf /lib64/libldap-2.4.so.2 openldap-2.4.44-20.el7.x86_64 Regards, Virendra -----Original Message----- From: Alvaro Herrera [mailto:alvherre@2ndquadrant.com] Sent: Thursday, December 20, 2018 2:01 PM To: Kumar, Virendra Cc: pgsql-general@lists.postgresql.org Subject: Re: Multiple LDAP Servers for ldap Authentication On 2018-Dec-20, Kumar, Virendra wrote: > This is what I see: > -- > [postgres@usdf24v0131 ~]$ which postgres > /opt/postgres/10/bin/postgres > [postgres@usdf24v0131 ~]$ ldd /opt/postgres/10/bin/postgres > linux-vdso.so.1 => (0x00007ffee3fe8000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f9a7f125000) > librt.so.1 => /lib64/librt.so.1 (0x00007f9a7ef1d000) > libdl.so.2 => /lib64/libdl.so.2 (0x00007f9a7ed19000) > libm.so.6 => /lib64/libm.so.6 (0x00007f9a7ea17000) > libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f9a7e7c2000) I'm going to risk it and say that this is indeed OpenLDAP -- but you can confirm by doing this: rpm -qf /lib64/libldap-2.4.so.2 Anyway, little birdies tell me that OpenLDAP does not really live up to its own documentation, because this feature does not in fact work. -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services ________________________________ This message is intended only for the use of the addressee and may contain information that is PRIVILEGED AND CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately. Thank you.
On 2018-Dec-20, Kumar, Virendra wrote: > Comman separated doesn't work as well. Please separate by a comma and a space, not just a comma. My reading of the OpenLDAP source code, and some quick experiments comparing failure patterns, suggest that that exact combination may work. (OpenLDAP is not exactly well commented.) I think one problem you may or may not hit is the PostgreSQL authentication timeout expiring sooner than OpenLDAP is willing to try the second server. -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Hi Alvaro, Tried with a comma and a space but it timed out one more time: -- 2018-12-20 14:34:56.070 CST [64618] FATAL: canceling authentication due to timeout Okay, so how would I configure openldap to try another ldap server in x amount of time if first one is not working. Regards, Virendra -----Original Message----- From: Alvaro Herrera [mailto:alvherre@2ndquadrant.com] Sent: Thursday, December 20, 2018 3:25 PM To: Kumar, Virendra Cc: pgsql-general@lists.postgresql.org Subject: Re: Multiple LDAP Servers for ldap Authentication On 2018-Dec-20, Kumar, Virendra wrote: > Comman separated doesn't work as well. Please separate by a comma and a space, not just a comma. My reading of the OpenLDAP source code, and some quick experiments comparing failure patterns, suggest that that exact combination may work. (OpenLDAP is not exactly well commented.) I think one problem you may or may not hit is the PostgreSQL authentication timeout expiring sooner than OpenLDAP is willing to try the second server. -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services ________________________________ This message is intended only for the use of the addressee and may contain information that is PRIVILEGED AND CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately. Thank you.
I figured it out, this is how it works: -- host all all 0.0.0.0/0 ldap ldapserver=server1.com ldapserver=server2.comldapprefix=PROD01\ So documentation need some update. Regards, Virendra -----Original Message----- From: Alvaro Herrera [mailto:alvherre@2ndquadrant.com] Sent: Thursday, December 20, 2018 3:25 PM To: Kumar, Virendra Cc: pgsql-general@lists.postgresql.org Subject: Re: Multiple LDAP Servers for ldap Authentication On 2018-Dec-20, Kumar, Virendra wrote: > Comman separated doesn't work as well. Please separate by a comma and a space, not just a comma. My reading of the OpenLDAP source code, and some quick experiments comparing failure patterns, suggest that that exact combination may work. (OpenLDAP is not exactly well commented.) I think one problem you may or may not hit is the PostgreSQL authentication timeout expiring sooner than OpenLDAP is willing to try the second server. -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services ________________________________ This message is intended only for the use of the addressee and may contain information that is PRIVILEGED AND CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately. Thank you.
On Thu, 20 Dec 2018 at 16:17, Kumar, Virendra
<Virendra.Kumar@guycarp.com> wrote:
>
> I figured it out, this is how it works:
> --
> host all all 0.0.0.0/0 ldap ldapserver=server1.com
ldapserver=server2.comldapprefix=PROD01\
>
> So documentation need some update.
Looking at the docs (doc/src/sgml/client-auth.sgml), it appears to be
correct, though it is somewhat ambiguous in that I'd expect
"ldapserver=server1.com server2.com" to be OK rather than needing
"ldapserver=server1.com ldapserver2.com" instead. I'm not certain of
a way to explain this better.
<varlistentry>
<term><literal>ldapserver</literal></term>
<listitem>
<para>
Names or IP addresses of LDAP servers to connect to. Multiple
servers may be specified, separated by spaces.
</para>
</listitem>
</varlistentry>
Perhaps the attached?
--
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
Attachment
Hi Chris,
It is better explained if we include an example in the documentation. That will be self explainatory.
Regards,
Virendra
-----Original Message-----
From: Christopher Browne [mailto:cbbrowne@gmail.com]
Sent: Thursday, December 20, 2018 6:16 PM
To: Kumar, Virendra
Cc: Alvaro Herrera; pgsql-general@lists.postgresql.org
Subject: Re: Multiple LDAP Servers for ldap Authentication
On Thu, 20 Dec 2018 at 16:17, Kumar, Virendra <Virendra.Kumar@guycarp.com> wrote:
>
> I figured it out, this is how it works:
> --
> host all all 0.0.0.0/0 ldap ldapserver=server1.com ldapserver=server2.com ldapprefix=PROD01\
>
> So documentation need some update.
Looking at the docs (doc/src/sgml/client-auth.sgml), it appears to be correct, though it is somewhat ambiguous in that I'd expect "ldapserver=server1.com server2.com" to be OK rather than needing "ldapserver=server1.com ldapserver2.com" instead. I'm not certain of a way to explain this better.
<varlistentry>
<term><literal>ldapserver</literal></term>
<listitem>
<para>
Names or IP addresses of LDAP servers to connect to. Multiple
servers may be specified, separated by spaces.
</para>
</listitem>
</varlistentry>
Perhaps the attached?
--
When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?"
This message is intended only for the use of the addressee and may contain
information that is PRIVILEGED AND CONFIDENTIAL.
If you are not the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please erase all copies of the message
and its attachments and notify the sender immediately. Thank you.
On Thu Dec, 20, 2018 at 9:17 PM Kumar, Virendra <Virendra.Kumar@guycarp.com> wrote:
I figured it out, this is how it works:
--
host all all 0.0.0.0/0 ldap ldapserver=server1.com ldapserver=server2.com ldapprefix=PROD01\
So documentation need some update.
Just FYI I tried out this method on my setup, and it did not work. Postgres (I tried on v. 10 and v. 12) will always pick the last "ldapserver=" tag that it parses. Avaro's format (ldapserver="server1 server2") works for me. To be clear:
<snippet>
# does not work:
host all all 0.0.0.0\/0 ldap ldapserver=ldap-service1 ldapserver=ldap-service2 ldaptls=1 ldapprefix="cn=" ldapsuffix=", dc=example, dc=org\" ldapport=389
# this works:
host all all 0.0.0.0/0 ldap ldapserver="ldap-service1 ldap-service2" ldaptls=1 ldapprefix="cn=" ldapsuffix=", dc=example, dc=org" ldapport=389
host all all 0.0.0.0\/0 ldap ldapserver=ldap-service1 ldapserver=ldap-service2 ldaptls=1 ldapprefix="cn=" ldapsuffix=", dc=example, dc=org\" ldapport=389
# this works:
host all all 0.0.0.0/0 ldap ldapserver="ldap-service1 ldap-service2" ldaptls=1 ldapprefix="cn=" ldapsuffix=", dc=example, dc=org" ldapport=389
</snippet>
For anyone who comes across this in the future, I have also compiled as short YouTube video to demonstrate the behavior of the two formats: https://youtu.be/kjlwwfHdpWg
--Richard
Regards,
Virendra
-----Original Message-----
From: Alvaro Herrera [mailto:alvherre@2ndquadrant.com]
Sent: Thursday, December 20, 2018 3:25 PM
To: Kumar, Virendra
Cc: pgsql-general@lists.postgresql.org
Subject: Re: Multiple LDAP Servers for ldap Authentication
On 2018-Dec-20, Kumar, Virendra wrote:
> Comman separated doesn't work as well.
Please separate by a comma and a space, not just a comma. My reading of
the OpenLDAP source code, and some quick experiments comparing failure
patterns, suggest that that exact combination may work. (OpenLDAP is
not exactly well commented.) I think one problem you may or may not hit
is the PostgreSQL authentication timeout expiring sooner than OpenLDAP
is willing to try the second server.
--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
________________________________
This message is intended only for the use of the addressee and may contain
information that is PRIVILEGED AND CONFIDENTIAL.
If you are not the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please erase all copies of the message
and its attachments and notify the sender immediately. Thank you.