Thread: troubleshooting postgresql ldap authentication
posgresql 12
centos 7
i am trying to configure ldap authentication.
i have the following pg_hba.conf entry (server and basedn are correct but not shown):
hostssl all all 0.0.0.0/0 ldap ldapserver="ldaps://xxx" ldapbasedn="yyy" ldaptls=1
when i attempt to authenticate, i see the following in pg logs:
2020-06-08 15:58:43 CDT [20235]: [1-1] user=[unknown],db=[unknown],app=[unknown],client=zzz LOG: connection received: host=zzz port=12378
2020-06-08 15:58:43 CDT [20235]: [2-1] user=uuu,db=postgres,app=[unknown],client=zzz LOG: could not initialize LDAP: Bad parameter to an ldap routine
2020-06-08 15:58:43 CDT [20235]: [3-1] user=uuu,db=postgres,app=[unknown],client=zzz FATAL: LDAP authentication failed for user "uuu"
2020-06-08 15:58:43 CDT [20235]: [4-1] user=uuu,db=postgres,app=[unknown],client=zzz DETAIL: Connection matched pg_hba.conf line 90: "hostssl all all 0.0.0.0/0
ldap ldapserver="ldaps://xxx" ldapbasedn="yyy" ldaptls=1"
2020-06-08 15:58:43 CDT [20235]: [2-1] user=uuu,db=postgres,app=[unknown],client=zzz LOG: could not initialize LDAP: Bad parameter to an ldap routine
2020-06-08 15:58:43 CDT [20235]: [3-1] user=uuu,db=postgres,app=[unknown],client=zzz FATAL: LDAP authentication failed for user "uuu"
2020-06-08 15:58:43 CDT [20235]: [4-1] user=uuu,db=postgres,app=[unknown],client=zzz DETAIL: Connection matched pg_hba.conf line 90: "hostssl all all 0.0.0.0/0
ldap ldapserver="ldaps://xxx" ldapbasedn="yyy" ldaptls=1"
does anyone know what might be causing "LDAP: Bad parameter to an ldap routine"
ldapsearch works fine w/ the supplied ldapserver and base dn.
On Tue, Jun 9, 2020 at 9:05 AM Chris Stephens <cstephens16@gmail.com> wrote: > hostssl all all 0.0.0.0/0 ldap ldapserver="ldaps://xxx" ldapbasedn="yyy" ldaptls=1 > does anyone know what might be causing "LDAP: Bad parameter to an ldap routine" You probably want ldapurl="ldaps://xxx" (note: ldapurl, not ldapserver). Or you could use ldapscheme="ldaps" and ldapserver="xxx".
Hi Chris, > On 08. Jun, 2020, at 23:05, Chris Stephens <cstephens16@gmail.com> wrote: > posgresql 12 > centos 7 here: PostgreSQL 11.6 & 12.3, SLES 12 & 15 > hostssl all all 0.0.0.0/0 ldap ldapserver="ldaps://xxx" ldapbasedn="yyy" ldaptls=1 we use: hostssl all all 0.0.0.0/0 ldap ldapserver="host1 host2" ldapport=389 ldapsearch="dc=domain,dc=example,dc=com" ldapsearchattribute="uid"ldaptls=1 Works pretty well. Cheers, Paul
yes, shortly after i sent this out to the list, one of our security administrators suggested ldapscheme. I just tested and ldapurl works as well.
the security admin explained it like this:
the security admin explained it like this:
"since we are using port 636 I know that it needs the TLS connection in place before LDAP commands. starttls does the opposite. allows an LDAP connection to "upgrade" to TLS. so the previous errors were simply it unable to connect to server."
i'm guessing information like that doesn't belong in postgresql documentation but it would have been useful yesterday. :)
thanks for the response! i just recently made the switch to postgresql after 20 years of mainly Oracle. during that time, the oracle-l mailing list was invaluable as a learning tool and as a way to get help when needed. it's great to know there's a similar mailing list in the postgresql community!
On Mon, Jun 8, 2020 at 7:41 PM Thomas Munro <thomas.munro@gmail.com> wrote:
On Tue, Jun 9, 2020 at 9:05 AM Chris Stephens <cstephens16@gmail.com> wrote:
> hostssl all all 0.0.0.0/0 ldap ldapserver="ldaps://xxx" ldapbasedn="yyy" ldaptls=1
> does anyone know what might be causing "LDAP: Bad parameter to an ldap routine"
You probably want ldapurl="ldaps://xxx" (note: ldapurl, not
ldapserver). Or you could use ldapscheme="ldaps" and
ldapserver="xxx".
Greetings, * Chris Stephens (cstephens16@gmail.com) wrote: > yes, shortly after i sent this out to the list, one of our security > administrators suggested ldapscheme. I just tested and ldapurl works as > well. > > the security admin explained it like this: > > "since we are using port 636 I know that it needs the TLS connection in > place before LDAP commands. starttls does the opposite. allows an LDAP > connection to "upgrade" to TLS. so the previous errors were simply it > unable to connect to server." > > i'm guessing information like that doesn't belong in postgresql > documentation but it would have been useful yesterday. :) Might be interesting to know if the security administrator also understands that the way ldap-based auth works (at least in PG) is that the user's password is sent to the PG server where it could potentially be hijacked if the PG server is compromised.. If you're in an active directory environment, you really should be using the 'gss' method instead, which is Kerberos underneath and avoids that issue. > thanks for the response! i just recently made the switch to postgresql > after 20 years of mainly Oracle. during that time, the oracle-l mailing > list was invaluable as a learning tool and as a way to get help > when needed. it's great to know there's a similar mailing list in the > postgresql community! You're certainly welcome here! One thing to mention is that, as you may have noticed, we communicate on these lists by responding in-line rather than 'top-posting', since it makes things easier for everyone else on the list to follow. Thanks, and welcome! Stephen