Thread: LDAP Search failing when i provide Multiple entry in pg_hba.conf

On Sun, Jun 23, 2019 at 12:00 PM Revana Siddu <revana.siddu@gmail.com> wrote:
> This my pg_hba.conf , If I comment one entry users belong that basedn works , With 2 entry not working ... Please
helphow  to go about this 
>
> host    all             all           clienthostip/32 ldap ldapserver=ldapserver.com ldapbasedn="OU=Users,OU=AP
Region,DC=xx,DC=com" ldapbinddn="cn=serviceID,ou=special accounts,ou=ISO,dc=xx,dc=com" ldapbindpasswd="xxxx"
ldapsearchattribute="sAMAccountName"
> host    all             all           clienthostip/ldap ldapserver=ldapserver.com
ldapbasedn="OU=Users,OU=ISO,DC=xx,DC=com"ldapbinddn="cn=serviceID,ou=special accounts,ou=ISO,dc=xx,dc=com"
ldapbindpasswd="xxxxx"ldapsearchattribute="sAMAccountName" 

I assume the second line is missing a few characters between
"clienthostip/" and "ldap".

The HBA system works using the first line that matches in the type,
database, user and address columns, and if that line rejects the user,
it doesn't try later lines[1].  That means you can't use multiple
lines to say 'this OR that'.

If you're on version 11, you could try to do this with one line using
ldapsearchfilter[2] instead of ldapsearchattribute.  Perhaps you could
set ldapbasedn="DC=xx,DC=com" (the common ancestor of both OUs), and
then you'd use something like
ldaldapsearchfilter="(&(sAMAccountName=$username)(|(...)(...)))",
where & and | are logical and and or operators understood by Active
Directory.  I don't know what syntax would be required for the (...)
parts on your set-up -- perhaps something like (memberOf=...) would be
involved, but I Google finds lots of discussion of how to build a
search filter that searches more than one OU.  You can experiment with
the ldapsearch command-line tool.

[1] https://www.postgresql.org/docs/11/auth-pg-hba-conf.html
[2] https://www.postgresql.org/docs/11/auth-ldap.html

--
Thomas Munro
https://enterprisedb.com