Thread: LDAP auth
Hi
I'm running on PostgreSQL 10.6 and would like to connect with LDAP users
I have sync all users from my group in my database and I can find users :-)
hostssl all all 10.1.1.0/24 ldap ldapurl="ldap://ldap.local/OU=ASA,OU=Forest%20Admin%20Accounts%20%26%20Roles,DC=ASATL,DC=NET?sAMAccountName?sub" ldaptls=1 ldapbinddn="CN=POSTGRES,OU=Service Accounts,OU=Global,OU=Member Servers,DC=PMINTL,DC=NET" ldapbindpasswd='password001'
What is the best way to put the LDAP query in pg_hba? I think the error comes from here
Thanks
Pierre
Greetings, * Pierre Ochsenbein (pierreochsenbein@gmail.com) wrote: > I'm running on PostgreSQL 10.6 and would like to connect with LDAP users > I have sync all users from my group in my database and I can find users :-) > > hostssl all all 10.1.1.0/24 ldap > ldapurl="ldap://ldap.local/OU=ASA,OU=Forest%20Admin%20Accounts%20%26%20Roles,DC=ASATL,DC=NET?sAMAccountName?sub" > ldaptls=1 ldapbinddn="CN=POSTGRES,OU=Service Accounts,OU=Global,OU=Member > Servers,DC=PMINTL,DC=NET" ldapbindpasswd='password001' > > What is the best way to put the LDAP query in pg_hba? I think the error > comes from here Are you in an Active Directory environment? If so, you'd be much better off using Kerberos/GSSAPI instead of LDAP. There's specific information about doing that available here: https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication Note that when using LDAP in this way, the user's password ends up being sent from the client to the server, so if the PG server is compromised then user's passwords can end up being exposed, allowing a potential attacker to then impersonate the user to gain access to other services in the environment (as that's the user's single-sign-on password...). Thanks, Stephen