Thread: integrate Postgres Users Authentication with our own LDAP Server
Hi all,
We would need to integrate Postgres Users Authentication with our own LDAP Server.
Basically as of now we are able to login to Postgress DB with a user/password credential.
These user objects are the part of Postgres DB server. Now we want that these users should be authenticated by LDAP server.
We would want the authentication to be done with LDAP, so basically the user credentials should be store in LDAP server
Can you mention the prescribed steps in Postgres needed for this integration with LDAP Server?
Regards
Tarkeshwar
Attachment
On 9/5/19 7:51 π.μ., M Tarkeshwar Rao wrote:
The users must be existent as postgresql users. Authorization : roles, privileges etc also will be taken by postgresql definitions, grants, etc. But the authentication will be done in LDAP.Hi all,
We would need to integrate Postgres Users Authentication with our own LDAP Server.
Basically as of now we are able to login to Postgress DB with a user/password credential.
These user objects are the part of Postgres DB server. Now we want that these users should be authenticated by LDAP server.
We would want the authentication to be done with LDAP, so basically the user credentials should be store in LDAP server
Can you mention the prescribed steps in Postgres needed for this integration with LDAP Server?
It is done in pg_hba.conf. There are two ways to do this (with 1 or 2 phases). We have successfully used both Lotus Notes LDAP and FreeIPA LDAP with our production PostgreSQL servers, I have tested with openldap as well, so I guess chances are that it will work with yours.
Regards
Tarkeshwar
-- Achilleas Mantzios IT DEV Lead IT DEPT Dynacom Tankers Mgmt
Attachment
On Thu, 2019-05-09 at 04:51 +0000, M Tarkeshwar Rao wrote: > We would need to integrate Postgres Users Authentication with our own LDAP Server. > > Basically as of now we are able to login to Postgress DB with a user/password credential. > > [roles "pg_signal_backend" and "postgres"] > > These user objects are the part of Postgres DB server. Now we want that these users should be authenticated by LDAP server. > We would want the authentication to be done with LDAP, so basically the user credentials should be store in LDAP server > > Can you mention the prescribed steps in Postgres needed for this integration with LDAP Server? LDAP authentication is well documented: https://www.postgresql.org/docs/current/auth-ldap.html But I don't think you are on the right track. "pg_signal_backend" cannot login, it is a role to which you add a login user to give it certain privileges. So you don't need to authenticate the role. "postgres" is the installation superuser. If security is important for you, you won't set a password for that user and you won't allow remote logins with that user. But for your application users LDAP authentication is a fine thing, and not hard to set up if you know a little bit about LDAP. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
On Thu, 2019-05-09 at 04:51 +0000, M Tarkeshwar Rao wrote: > We would need to integrate Postgres Users Authentication with our own LDAP Server. > > Basically as of now we are able to login to Postgress DB with a user/password credential. > > [roles "pg_signal_backend" and "postgres"] > > These user objects are the part of Postgres DB server. Now we want that these users should be authenticated by LDAP server. > We would want the authentication to be done with LDAP, so basically the user credentials should be store in LDAP server > > Can you mention the prescribed steps in Postgres needed for this integration with LDAP Server? LDAP authentication is well documented: https://www.postgresql.org/docs/current/auth-ldap.html But I don't think you are on the right track. "pg_signal_backend" cannot login, it is a role to which you add a login user to give it certain privileges. So you don't need to authenticate the role. "postgres" is the installation superuser. If security is important for you, you won't set a password for that user and you won't allow remote logins with that user. But for your application users LDAP authentication is a fine thing, and not hard to set up if you know a little bit about LDAP. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
On Thu, 2019-05-09 at 04:51 +0000, M Tarkeshwar Rao wrote: > We would need to integrate Postgres Users Authentication with our own LDAP Server. > > Basically as of now we are able to login to Postgress DB with a user/password credential. > > [roles "pg_signal_backend" and "postgres"] > > These user objects are the part of Postgres DB server. Now we want that these users should be authenticated by LDAP server. > We would want the authentication to be done with LDAP, so basically the user credentials should be store in LDAP server > > Can you mention the prescribed steps in Postgres needed for this integration with LDAP Server? LDAP authentication is well documented: https://www.postgresql.org/docs/current/auth-ldap.html But I don't think you are on the right track. "pg_signal_backend" cannot login, it is a role to which you add a login user to give it certain privileges. So you don't need to authenticate the role. "postgres" is the installation superuser. If security is important for you, you won't set a password for that user and you won't allow remote logins with that user. But for your application users LDAP authentication is a fine thing, and not hard to set up if you know a little bit about LDAP. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
We want to setup ldap authentication in pg_hba.conf, for Postgresql users(other than postgres super user). We are getting issue with special characters by following steps given in postgres documentation. It is not accepting any special characters as special characters are mandatory in our use case. Can you please help us or have you any steps by which we can configure any postgres with LDAP? -----Original Message----- From: Laurenz Albe <laurenz.albe@cybertec.at> Sent: Thursday, May 9, 2019 12:12 PM To: M Tarkeshwar Rao <m.tarkeshwar.rao@ericsson.com>; pgsql-general <pgsql-general@lists.postgresql.org>; 'postgres-discuss@mailman.lmera.ericsson.se'<postgres-discuss@mailman.lmera.ericsson.se>; 'pgsql-general@postgresql.org'<pgsql-general@postgresql.org>; pgsql-performance@postgresql.org; pgsql-hackers@postgresql.org;'pgsql-hackers-owner@postgresql.org' <pgsql-hackers-owner@postgresql.org>; Aashish Nagpaul <aashish.nagpaul@ericsson.com> Subject: Re: integrate Postgres Users Authentication with our own LDAP Server On Thu, 2019-05-09 at 04:51 +0000, M Tarkeshwar Rao wrote: > We would need to integrate Postgres Users Authentication with our own LDAP Server. > > Basically as of now we are able to login to Postgress DB with a user/password credential. > > [roles "pg_signal_backend" and "postgres"] > > These user objects are the part of Postgres DB server. Now we want that these users should be authenticated by LDAP server. > We would want the authentication to be done with LDAP, so basically > the user credentials should be store in LDAP server > > Can you mention the prescribed steps in Postgres needed for this integration with LDAP Server? LDAP authentication is well documented: https://www.postgresql.org/docs/current/auth-ldap.html But I don't think you are on the right track. "pg_signal_backend" cannot login, it is a role to which you add a login user to give it certain privileges. So you don'tneed to authenticate the role. "postgres" is the installation superuser. If security is important for you, you won't set a password for that user and youwon't allow remote logins with that user. But for your application users LDAP authentication is a fine thing, and not hard to set up if you know a little bit aboutLDAP. Yours, Laurenz Albe -- Cybertec | https://protect2.fireeye.com/url?k=4f372c5d-13a52101-4f376cc6-0cc47ad93d46-aed009fdc0b3e18f&u=https://www.cybertec-postgresql.com/
We want to setup ldap authentication in pg_hba.conf, for Postgresql users(other than postgres super user). We are getting issue with special characters by following steps given in postgres documentation. It is not accepting any special characters as special characters are mandatory in our use case. Can you please help us or have you any steps by which we can configure any postgres with LDAP? -----Original Message----- From: Laurenz Albe <laurenz.albe@cybertec.at> Sent: Thursday, May 9, 2019 12:12 PM To: M Tarkeshwar Rao <m.tarkeshwar.rao@ericsson.com>; pgsql-general <pgsql-general@lists.postgresql.org>; 'postgres-discuss@mailman.lmera.ericsson.se'<postgres-discuss@mailman.lmera.ericsson.se>; 'pgsql-general@postgresql.org'<pgsql-general@postgresql.org>; pgsql-performance@postgresql.org; pgsql-hackers@postgresql.org;'pgsql-hackers-owner@postgresql.org' <pgsql-hackers-owner@postgresql.org>; Aashish Nagpaul <aashish.nagpaul@ericsson.com> Subject: Re: integrate Postgres Users Authentication with our own LDAP Server On Thu, 2019-05-09 at 04:51 +0000, M Tarkeshwar Rao wrote: > We would need to integrate Postgres Users Authentication with our own LDAP Server. > > Basically as of now we are able to login to Postgress DB with a user/password credential. > > [roles "pg_signal_backend" and "postgres"] > > These user objects are the part of Postgres DB server. Now we want that these users should be authenticated by LDAP server. > We would want the authentication to be done with LDAP, so basically > the user credentials should be store in LDAP server > > Can you mention the prescribed steps in Postgres needed for this integration with LDAP Server? LDAP authentication is well documented: https://www.postgresql.org/docs/current/auth-ldap.html But I don't think you are on the right track. "pg_signal_backend" cannot login, it is a role to which you add a login user to give it certain privileges. So you don'tneed to authenticate the role. "postgres" is the installation superuser. If security is important for you, you won't set a password for that user and youwon't allow remote logins with that user. But for your application users LDAP authentication is a fine thing, and not hard to set up if you know a little bit aboutLDAP. Yours, Laurenz Albe -- Cybertec | https://protect2.fireeye.com/url?k=4f372c5d-13a52101-4f376cc6-0cc47ad93d46-aed009fdc0b3e18f&u=https://www.cybertec-postgresql.com/
We want to setup ldap authentication in pg_hba.conf, for Postgresql users(other than postgres super user). We are getting issue with special characters by following steps given in postgres documentation. It is not accepting any special characters as special characters are mandatory in our use case. Can you please help us or have you any steps by which we can configure any postgres with LDAP? -----Original Message----- From: Laurenz Albe <laurenz.albe@cybertec.at> Sent: Thursday, May 9, 2019 12:12 PM To: M Tarkeshwar Rao <m.tarkeshwar.rao@ericsson.com>; pgsql-general <pgsql-general@lists.postgresql.org>; 'postgres-discuss@mailman.lmera.ericsson.se'<postgres-discuss@mailman.lmera.ericsson.se>; 'pgsql-general@postgresql.org'<pgsql-general@postgresql.org>; pgsql-performance@postgresql.org; pgsql-hackers@postgresql.org;'pgsql-hackers-owner@postgresql.org' <pgsql-hackers-owner@postgresql.org>; Aashish Nagpaul <aashish.nagpaul@ericsson.com> Subject: Re: integrate Postgres Users Authentication with our own LDAP Server On Thu, 2019-05-09 at 04:51 +0000, M Tarkeshwar Rao wrote: > We would need to integrate Postgres Users Authentication with our own LDAP Server. > > Basically as of now we are able to login to Postgress DB with a user/password credential. > > [roles "pg_signal_backend" and "postgres"] > > These user objects are the part of Postgres DB server. Now we want that these users should be authenticated by LDAP server. > We would want the authentication to be done with LDAP, so basically > the user credentials should be store in LDAP server > > Can you mention the prescribed steps in Postgres needed for this integration with LDAP Server? LDAP authentication is well documented: https://www.postgresql.org/docs/current/auth-ldap.html But I don't think you are on the right track. "pg_signal_backend" cannot login, it is a role to which you add a login user to give it certain privileges. So you don'tneed to authenticate the role. "postgres" is the installation superuser. If security is important for you, you won't set a password for that user and youwon't allow remote logins with that user. But for your application users LDAP authentication is a fine thing, and not hard to set up if you know a little bit aboutLDAP. Yours, Laurenz Albe -- Cybertec | https://protect2.fireeye.com/url?k=4f372c5d-13a52101-4f376cc6-0cc47ad93d46-aed009fdc0b3e18f&u=https://www.cybertec-postgresql.com/
On Thu, 2019-05-09 at 07:11 +0000, M Tarkeshwar Rao wrote: > We want to setup ldap authentication in pg_hba.conf, for Postgresql users(other than postgres super user). > > We are getting issue with special characters by following steps given in postgres documentation. > It is not accepting any special characters as special characters are mandatory in our use case. > > Can you please help us or have you any steps by which we can configure any postgres with LDAP? It was very inconsiderate of you to write to 100 PostgreSQL lists at once (and I was stupid enough not to notice right away). Then, please don't top-post on these lists. Write your reply *below* what you quote. What exactly is your problem? "We are getting issues" is not detailed enough. You probably just have to get the encoding right. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
On Thu, May 09, 2019 at 07:11:24AM +0000, M Tarkeshwar Rao wrote: >We want to setup ldap authentication in pg_hba.conf, for Postgresql >users(other than postgres super user). > >We are getting issue with special characters by following steps given in >postgres documentation. It is not accepting any special characters as >special characters are mandatory in our use case. > >Can you please help us or have you any steps by which we can configure >any postgres with LDAP? Please don't cross-post - this is a fairly generic question, it has nothing to do with performance or development, so the right thing is to send it to pgsql-general. Likewise, it makes little sense to send questions to the "owner". I've removed the other lists from CC. regards -- Tomas Vondra http://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Greetings, (Dropping all the extra mailing lists and such, please do *not* cross-post like that) * M Tarkeshwar Rao (m.tarkeshwar.rao@ericsson.com) wrote: > We want to setup ldap authentication in pg_hba.conf, for Postgresql users(other than postgres super user). > > We are getting issue with special characters by following steps given in postgres documentation. > It is not accepting any special characters as special characters are mandatory in our use case. > > Can you please help us or have you any steps by which we can configure any postgres with LDAP? Is this an active directory environment? If so, you should probably be using GSSAPI anyway and not LDAP for the actual authentication. As for the "special characters", you really need to provide specifics and be able to show us the actual errors that you're getting. Thanks, Stephen