[Auth] "ident" method and LDAP user accounts

Stephane Bortzmeyer <bortzmeyer@nic.fr> writes:

It is of course very inconvenient to duplicate my LDAP database into
pg_ident.conf. Is there a better way?

Perhaps you can find a PAM plugin that talks to LDAP, and configure
Postgres to use that.

regards, tom lane

On Wed, Mar 02, 2005 at 02:16:29PM -0500,
Tom Lane <tgl@sss.pgh.pa.us> wrote
a message of 8 lines which said:

It is of course very inconvenient to duplicate my LDAP database into
pg_ident.conf. Is there a better way?

Perhaps you can find a PAM plugin that talks to LDAP, and configure
Postgres to use that.

It already exists (I tried it) but it does not suit my needs since it
asks for the password (and I'm already logged in, I don't want to type
a password again).

The real issue is "Why PostgreSQL does not use getpwuid when
getsockopt with SO_PEERCREED returns a numeric UID?" This would give
to PostgreSQL the real and correct user name :-(

Stephane Bortzmeyer <bortzmeyer@nic.fr> writes:

The real issue is "Why PostgreSQL does not use getpwuid when
getsockopt with SO_PEERCREED returns a numeric UID?"

Oh? I read in hba.c

if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &peercred, &so_len) != 0 ||
so_len != sizeof(peercred))
{
/* We didn't get a valid credentials struct. */
ereport(LOG,
(errcode_for_socket_access(),
errmsg("could not get peer credentials: %m")));
return false;
}

pass = getpwuid(peercred.uid);

so it sure looks like we *are* using getpwuid.

regards, tom lane

Stephane Bortzmeyer wrote:

All the user accounts, including mine, are in a LDAP database. Thanks
to NSS (Name Service Switch) all applications have access to the LDAP
accounts (getpwuid(3) and getpwnam(3) use LDAP). But not PostgreSQL.

I did similar setups and both gentoo and debian/sarge, and this was
never a problem.

Might it be that the postgres user is not allowed to read /etc/ldap.conf
- or however your nss_ldap config file is called? I'd try su-ing to the
postgres user, and check if everything (ls -l /home, ... - you get the
idea) works as expected.

When I connect locally (Linux as SO_PEERCRED so the ident daemon is
not used) with the "ident" method, I get rejected.

If I create an ident map to map the numeric UID to my name, it works:

# MAPNAME IDENT-USERNAME PG-USERNAME
ldapuser 1000 bortzmeyer

If all else fails, you could create this via a shellscript from your
ldap database - but of course thats ugly...

greetings, Florian Pflug

On Thu, Mar 03, 2005 at 04:03:25AM -0500,
Tom Lane <tgl@sss.pgh.pa.us> wrote
a message of 21 lines which said:

pass = getpwuid(peercred.uid);

so it sure looks like we *are* using getpwuid.

You're right but I do not understand why it fails only with
PostgreSQL.

On Thu, Mar 03, 2005 at 10:04:32AM +0100,
Florian G. Pflug <fgp@phlo.org> wrote
a message of 114 lines which said:

Might it be that the postgres user is not allowed to read
/etc/ldap.conf - or however your nss_ldap config file is called?

myriam:~ % ls -ld /etc/*ldap*
drwxr-xr-x 2 root root 4096 Oct 18 17:17 /etc/ldap
-rw------- 1 root root 13 Oct 18 17:19 /etc/ldap.secret
-rw-r--r-- 1 root root 8442 Oct 18 17:27 /etc/libnss-ldap.conf
-rw-r--r-- 1 root root 7070 Oct 18 17:19 /etc/pam_ldap.conf

I'd try su-ing to the postgres user, and check if everything (ls -l
/home, ... - you get the idea) works as expected.

It does:
myriam:~ % id
uid=104(postgres) gid=108(postgres) groups=108(postgres)

myriam:~ % ls -l /home/bortzmeyer
total 68
drwxr-sr-x 3 bortzmeyer staff 4096 Nov 19 11:47 AFGNIC

While "bortzmeyer" is not on /etc/passwd, only in LDAP.

So, we still have a mystery :-(

On Thu, 3 Mar 2005, Stephane Bortzmeyer wrote:

On Thu, Mar 03, 2005 at 10:04:32AM +0100,
Florian G. Pflug <fgp@phlo.org> wrote
a message of 114 lines which said:

Might it be that the postgres user is not allowed to read
/etc/ldap.conf - or however your nss_ldap config file is called?

myriam:~ % ls -ld /etc/*ldap*
drwxr-xr-x 2 root root 4096 Oct 18 17:17 /etc/ldap
-rw------- 1 root root 13 Oct 18 17:19 /etc/ldap.secret
-rw-r--r-- 1 root root 8442 Oct 18 17:27 /etc/libnss-ldap.conf
-rw-r--r-- 1 root root 7070 Oct 18 17:19 /etc/pam_ldap.conf

I'd try su-ing to the postgres user, and check if everything (ls -l
/home, ... - you get the idea) works as expected.

It does:
myriam:~ % id
uid=104(postgres) gid=108(postgres) groups=108(postgres)

myriam:~ % ls -l /home/bortzmeyer
total 68
drwxr-sr-x 3 bortzmeyer staff 4096 Nov 19 11:47 AFGNIC

While "bortzmeyer" is not on /etc/passwd, only in LDAP.

So, we still have a mystery :-(

Does Debian include and activate SELinux?

.TM.
--
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ Colombo@ESI.it

On Thu, March 3, 2005 12:00, Marco Colombo said:

On Thu, 3 Mar 2005, Stephane Bortzmeyer wrote:

On Thu, Mar 03, 2005 at 10:04:32AM +0100,
Florian G. Pflug <fgp@phlo.org> wrote
a message of 114 lines which said:

Might it be that the postgres user is not allowed to read
/etc/ldap.conf - or however your nss_ldap config file is called?

myriam:~ % ls -ld /etc/*ldap*
drwxr-xr-x 2 root root 4096 Oct 18 17:17 /etc/ldap
-rw------- 1 root root 13 Oct 18 17:19 /etc/ldap.secret
-rw-r--r-- 1 root root 8442 Oct 18 17:27 /etc/libnss-ldap.conf
-rw-r--r-- 1 root root 7070 Oct 18 17:19 /etc/pam_ldap.conf

I'd try su-ing to the postgres user, and check if everything (ls -l
/home, ... - you get the idea) works as expected.

It does:
myriam:~ % id
uid=104(postgres) gid=108(postgres) groups=108(postgres)

myriam:~ % ls -l /home/bortzmeyer
total 68
drwxr-sr-x 3 bortzmeyer staff 4096 Nov 19 11:47 AFGNIC

While "bortzmeyer" is not on /etc/passwd, only in LDAP.

So, we still have a mystery :-(

Seems so.. you could try to start the postmaster via strace -f, and
capture the log
("strace -f <postmaster> -- <postmaster-opts>" 2>&1 > /tmp/postmaster.strace)

Then try to connect, and see what happens - you should see the postmaster
open your pam_ldap.conf, and then try to connect to your ldap server.
Maybe you find some hint in the strace log on whats going on...

Maybe it's also worth trying to start the postmaster by hand - the
init-script might set some different env-variables or paths than what you
have set in an interactive shell...

Does Debian include and activate SELinux?

There are selinux-versions of debian, but in vanilla debian/sarge (and
debian/woody, and debian/sid), there is no selinux support - at least, I
never stumbled upon this, and I use quite a few debian machines).

greetings, Florian Pflug

On Thu, Mar 03, 2005 at 12:00:51PM +0100,
Marco Colombo <pgsql@esiway.net> wrote
a message of 39 lines which said:

Does Debian include and activate SELinux?

Not at all.

Stephane Bortzmeyer <bortzmeyer@nic.fr> writes:

Tom Lane <tgl@sss.pgh.pa.us> wrote

so it sure looks like we *are* using getpwuid.

You're right but I do not understand why it fails only with
PostgreSQL.

Perhaps one of the pile of random libraries we include is supplying a
broken version of getpwuid?

I concur with the suggestion to try strace'ing to compare PG's behavior
to something that works (such as ls).

regards, tom lane

On Thu, Mar 03, 2005 at 01:20:35PM +0100,
Florian Pflug <fgp@phlo.org> wrote
a message of 47 lines which said:

Seems so.. you could try to start the postmaster via strace -f, and
capture the log

...

Then try to connect, and see what happens - you should see the
postmaster open your pam_ldap.conf, and then try to connect to your
ldap server.

Well, the easiest way was to 'tail -f' the LDAP server's log. I can
see that PostgreSQL, indeed, calls getpwuid and tries to find LDAP's
"uid" (the user name):

Mar 8 10:23:24 eve slapd[586]: conn=38854 op=1 SRCH base="ou=People,dc=eureg,dc=eu" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=1011))"
Mar 8 10:23:24 eve slapd[586]: conn=38854 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Strangely enough, everything works now. The only thing I see is that
the machine rebooted two days ago. :-(

Thanks for those who searched and sorry for leading them on the wrong
track.