Thread: LDAP Configuration

LDAP Configuration

From
"Anjul Tyagi"
Date:
Team,

we are implementing the LDAP authentication and we are able to connect with LDAP and able to authenticate the user with that. However we have 2 type of users, one - corporate users and available of Active Directory and second application user, which is used by different application to connect with database. 

Below entry i did in the pg_hba.conf file, if i create user in DB (similar exist on AD) it works. However if i create one user with password, it calls the LDAP server for authentication and fails as it does not exists in AD. 

host    all             all       0.0.0.0/0            ldap ldapserver=<LDAL Server> ldapbasedn="OU=Corporate,DC=etch,dc=com" ldapbinddn="CN=AdSyncAcct,OU=Service Accounts,DC=etch,DC=com" ldapbindpasswd="Password" ldapsearchattribute="sAMAccountName"

we are using the postgres 10.10 version. 

can you please suggest the pg_hba.conf file entry, that will help us to authenticate the users from LDAP and from postgres as well. 
 
 
 

Regards,

Anjul TYAGI

 

ü Go Green


Re: LDAP Configuration

From
Laurenz Albe
Date:
On Wed, 2020-04-01 at 10:29 +0000, Anjul Tyagi wrote:
> we are implementing the LDAP authentication and we are able to connect with LDAP and able to
> authenticate the user with that. However we have 2 type of users, one - corporate users and
> available of Active Directory and second application user, which is used by different
> application to connect with database. 
> 
> Below entry i did in the pg_hba.conf file, if i create user in DB (similar exist on AD) it works.
> However if i create one user with password, it calls the LDAP server for authentication
> and fails as it does not exists in AD. 
> 
> host    all             all       0.0.0.0/0            ldap ldapserver=<LDAL Server>
ldapbasedn="OU=Corporate,DC=etch,dc=com"ldapbinddn="CN=AdSyncAcct,OU=Service Accounts,DC=etch,DC=com"
 
> ldapbindpasswd="Password" ldapsearchattribute="sAMAccountName"
> 
> we are using the postgres 10.10 version. 
> 
> can you please suggest the pg_hba.conf file entry, that will help us to authenticate the users
> from LDAP and from postgres as well. 

Create a NOLOGIN role "ldapusers" in PostgreSQL and assign the users to authenticate
with LDAP to that group.

Then use two lines in pg_hba.conf:

host  all  +ldapusers 0.0.0.0/0  ldap ...
host  all  all        0.0.0.0/0  scram-sha-256

All users in the "ldapusers" group will be authenticated with LDAP,
and the others will "fall through" to the password authentication.

Yours,
Laurenz Albe
-- 
Cybertec | https://www.cybertec-postgresql.com




Re: LDAP Configuration

From
"Anjul Tyagi"
Date:
Thanks Laurenz Albe!!!

I did the same and it worked for me... 

 
 
 

Regards,

Anjul TYAGI

 

ü Go Green


------ Original Message ------
From: "Laurenz Albe" <laurenz.albe@cybertec.at>
To: "Anjul Tyagi" <anjul@ibosstech-us.com>; "pgsql-admin" <pgsql-admin@postgresql.org>
Sent: 4/1/2020 5:03:04 PM
Subject: Re: LDAP Configuration

On Wed, 2020-04-01 at 10:29 +0000, Anjul Tyagi wrote:
we are implementing the LDAP authentication and we are able to connect with LDAP and able to
authenticate the user with that. However we have 2 type of users, one - corporate users and
available of Active Directory and second application user, which is used by different
application to connect with database.
 
Below entry i did in the pg_hba.conf file, if i create user in DB (similar exist on AD) it works.
However if i create one user with password, it calls the LDAP server for authentication
and fails as it does not exists in AD.
 
host all all 0.0.0.0/0 ldap ldapserver=<LDAL Server> ldapbasedn="OU=Corporate,DC=etch,dc=com" ldapbinddn="CN=AdSyncAcct,OU=Service Accounts,DC=etch,DC=com"
ldapbindpasswd="Password" ldapsearchattribute="sAMAccountName"
 
we are using the postgres 10.10 version.
 
can you please suggest the pg_hba.conf file entry, that will help us to authenticate the users
from LDAP and from postgres as well.
 
Create a NOLOGIN role "ldapusers" in PostgreSQL and assign the users to authenticate
with LDAP to that group.
 
Then use two lines in pg_hba.conf:
 
host all +ldapusers 0.0.0.0/0 ldap ...
host all all 0.0.0.0/0 scram-sha-256
 
All users in the "ldapusers" group will be authenticated with LDAP,
and the others will "fall through" to the password authentication.
 
Yours,
Laurenz Albe
--
 

Re: LDAP Configuration

From
Stephen Frost
Date:
Greetings,

* Anjul Tyagi (anjul@ibosstech-us.com) wrote:
> we are implementing the LDAP authentication and we are able to connect with
> LDAP and able to authenticate the user with that. However we have 2 type of
> users, one - corporate users and available of Active Directory and second
> application user, which is used by different application to connect with
> database.

In an Active Directory environment, you really should be using Kerberos
(also known as GSSAPI) for authentication, using LDAP isn't secure as it
means that the user's password will be sent to the PostgreSQL server.

Thanks,

Stephen

Attachment