Thread: Secure LDAP auth on windows machine inside domain

Secure LDAP auth on windows machine inside domain

From
Rocco Kreutz
Date:
I'm looking for some help with setting up LDAP-Auth.

Scenaria is:
- Computer in Windows Domain runs postgreSQL
- The AD-DC is using a self-signed certificate
- That cert is already imported to trusted root cert store on that computer
- LDAP auth without encryption does work fine
   (
   ldap ldapserver=???.???.???.de ldaptls=0 
ldapbasedn="CN=Users,DC=???,DC=???,DC=???" 
ldapbinddn="CN=prodatbind,CN=Users,DC=???,DC=???,DC=???" 
ldapbindpasswd="???" ldapsearchattribute="sAMAccountName"
   )
- i'm trying to logon as prodatadmin (prodatbind account is just for the 
ldap-bind)
- Now either tls or ldaps needs to be activated



If i change to tls=1 i get the errormessage:

2021-05-21 13:38:35.639 CEST [968] LOG:  could not start LDAP TLS 
session: Lokaler Fehler
2021-05-21 13:38:35.639 CEST [968] DETAIL:  LDAP diagnostics: Lokaler Fehler
2021-05-21 13:38:35.640 CEST [968] FATAL:  LDAP authentication failed 
for user "prodatadmin"

Lokaler Fehler -> local error


if i change to ldaps i get the errormessage:

2021-05-21 13:41:34.759 CEST [13412] LOG:  could not perform initial 
LDAP bind for ldapbinddn "CN=prodatbind,CN=Users,DC=???,DC=???,DC=???" 
on server "???.???.???.???": Server heruntergefahren
2021-05-21 13:41:34.759 CEST [13412] DETAIL:  LDAP diagnostics: Server 
heruntergefahren
2021-05-21 13:41:34.760 CEST [13412] FATAL:  LDAP authentication failed 
for user "prodatadmin"

Server heruntergefahren -> Server is down


with ldapadmin (ldapadmin.org) i can connect with ssl or tls. I just get 
a warning about the certificate.
So what do i need to do, to get postgrSQL LDAP to accept that certificate?

Thx





Re: Secure LDAP auth on windows machine inside domain

From
Holger Jakobs
Date:
Am 21.05.21 um 14:02 schrieb Rocco Kreutz:
> I'm looking for some help with setting up LDAP-Auth.
>
> Scenaria is:
> - Computer in Windows Domain runs postgreSQL
> - The AD-DC is using a self-signed certificate
> - That cert is already imported to trusted root cert store on that
> computer
> - LDAP auth without encryption does work fine
>   (
>   ldap ldapserver=???.???.???.de ldaptls=0
> ldapbasedn="CN=Users,DC=???,DC=???,DC=???"
> ldapbinddn="CN=prodatbind,CN=Users,DC=???,DC=???,DC=???"
> ldapbindpasswd="???" ldapsearchattribute="sAMAccountName"
>   )
> - i'm trying to logon as prodatadmin (prodatbind account is just for
> the ldap-bind)
> - Now either tls or ldaps needs to be activated
>
>
>
> If i change to tls=1 i get the errormessage:
>
> 2021-05-21 13:38:35.639 CEST [968] LOG:  could not start LDAP TLS
> session: Lokaler Fehler
> 2021-05-21 13:38:35.639 CEST [968] DETAIL:  LDAP diagnostics: Lokaler
> Fehler
> 2021-05-21 13:38:35.640 CEST [968] FATAL:  LDAP authentication failed
> for user "prodatadmin"
>
> Lokaler Fehler -> local error
>
>
> if i change to ldaps i get the errormessage:
>
> 2021-05-21 13:41:34.759 CEST [13412] LOG:  could not perform initial
> LDAP bind for ldapbinddn "CN=prodatbind,CN=Users,DC=???,DC=???,DC=???"
> on server "???.???.???.???": Server heruntergefahren
> 2021-05-21 13:41:34.759 CEST [13412] DETAIL:  LDAP diagnostics: Server
> heruntergefahren
> 2021-05-21 13:41:34.760 CEST [13412] FATAL:  LDAP authentication
> failed for user "prodatadmin"
>
> Server heruntergefahren -> Server is down
>
>
> with ldapadmin (ldapadmin.org) i can connect with ssl or tls. I just
> get a warning about the certificate.
> So what do i need to do, to get postgrSQL LDAP to accept that
> certificate?
>
> Thx
>
>
> If both your clients and server are running on Windows, the best
> authentication method is SSPI.
>
--
Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012



Attachment

Re: Secure LDAP auth on windows machine inside domain

From
Rocco Kreutz
Date:
It must be LDAP, because the users need to use a shortened diffrent 
login, which is stored in ad
>> If both your clients and server are running on Windows, the best 
>> authentication method is SSPI.
>>



Re: Secure LDAP auth on windows machine inside domain

From
Stephen Frost
Date:
Greetings,

* Rocco Kreutz (r.kreutz@prodat-sql.de) wrote:
> It must be LDAP, because the users need to use a shortened diffrent login,
> which is stored in ad

You can map users using pg_ident.conf, there's no need to use LDAP to
have a different login name in the database, and it's not secure to use
LDAP.

When LDAP is used, the user's credentials are seen by the server in the
clear (and there's not really anything you can do about that, it's the
nature of that auth method) and therefore if the DB server is
compromised then everyone's credentials who logs into the DB server will
also be compromised (TLS/SSL doesn't help because that only protects
traffic across the network).

Thanks,

Stephen

Attachment

Re: Secure LDAP auth on windows machine inside domain

From
Rocco Kreutz
Date:
Cos im getting more and more reply's, without any help concerning my 
actual question.

GSSAPI/SSPI is NOT an option. Creating keytab files, merging them, 
adjusting postgreSQL config files and then restarting db-server is not 
an option.

thx





Re: Secure LDAP auth on windows machine inside domain

From
Dan Smith
Date:
Hi Rocco,

For Postgres server to ldap (AD), it looks like ldaptls was added to documentation for v10 (see 

Using Active Directory for Authentication can be done (check archives of this list it's, been covered).  Honestly outside of what has already been covered in other posts, I don't think I have much to add.  Most of what you need to do is external to Postgres (such as determining your ldap search criteria and verifying connection details).  Once you have all of that, updating the pg_hba.conf file is straight forward.


Best regards,

Dan Smith



On Tue, May 25, 2021, 00:20 Rocco Kreutz <r.kreutz@prodat-sql.de> wrote:
Cos im getting more and more reply's, without any help concerning my
actual question.

GSSAPI/SSPI is NOT an option. Creating keytab files, merging them,
adjusting postgreSQL config files and then restarting db-server is not
an option.

thx