PostgreSQL and OpenLdap
Hi Friends,
This is my first post in the list.
I am not obtaining authentication my users of PostgreSQL in OpenLdap.
1) PostgreSQL was compiled with the support to ldap in a FreeBSD System.
"option --with-ldap for configure".
2) The user also exists in the base of the OpenLdap
3) Already I also added the line of configuration in "pg_hba.conf" and
in the "pg_service.conf"
$ tail /etc/pg_service.conf
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br
$ cat /usr/local/pgsql/data/pg_hba.conf
local all all trust
host all all 10.193.4.0/24 md5
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br
4) To create the usuary I make thus
# su - pgsql
% createuser scott
After the made configurations, I try to effect login and is error of password.
remote# psql postgresql -h server -U scott -W
psql: FATAL: password authentication failed for user "scott"
It will be that somebody could help me, "I am making something incorrect !!!"
http://www.postgresql.org/docs/current/interactive/libpq-ldap.html
Thanks Cris.
On Sun, Feb 11, 2007 at 08:54:56PM -0200, Cristiano Panvel wrote:
Hi Friends,
This is my first post in the list.
I am not obtaining authentication my users of PostgreSQL in OpenLdap.
1) PostgreSQL was compiled with the support to ldap in a FreeBSD System.
"option --with-ldap for configure".2) The user also exists in the base of the OpenLdap
3) Already I also added the line of configuration in "pg_hba.conf" and
in the "pg_service.conf"$ tail /etc/pg_service.conf
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br
This is not for LDAP authentication, it's for service lookup only. If
you just want LADP auth, you can get rid of it. If you want both, I'd
suggest doing one thing at a time - get rid of it for now until auth
works, then put it back in later.
$ cat /usr/local/pgsql/data/pg_hba.conf
local all all trust
host all all 10.193.4.0/24 md5
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br
I assume this is all on one line. In which case it's incorrect - you
can't have both md5 and ldap on teh same line. It should be:
host all all 10.193.4.0/24 ldap ldap://....
4) To create the usuary I make thus
# su - pgsql
% createuser scottAfter the made configurations, I try to effect login and is error of
password.remote# psql postgresql -h server -U scott -W
psql: FATAL: password authentication failed for user "scott"
What you really need to look at here is the server logs, not the client
output. It should tell you what it's trying to do (in your case, it
would indicate that it's not trying to do LDAP) and how its' failing.
//Magnus
Thanks Magnus,
Now I am passing the line thus pg_hba.conf
##
host all all 10.193.4.0/24 ldap
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br
##
However error in login is occurring
% psql postgresql -h server -U scott -W
psql: FATAL: LDAP authentication failed for user "scott"
I must pass plus some thing.
My base Ldap:
dc=cb,dc=sc,dc=gov,dc=br
The Bind:
ou=Users
Cris.
Show quoted text
On 2/12/07, Magnus Hagander <magnus@hagander.net> wrote:
On Sun, Feb 11, 2007 at 08:54:56PM -0200, Cristiano Panvel wrote:
Hi Friends,
This is my first post in the list.
I am not obtaining authentication my users of PostgreSQL in OpenLdap.
1) PostgreSQL was compiled with the support to ldap in a FreeBSD System.
"option --with-ldap for configure".2) The user also exists in the base of the OpenLdap
3) Already I also added the line of configuration in "pg_hba.conf" and
in the "pg_service.conf"$ tail /etc/pg_service.conf
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=brThis is not for LDAP authentication, it's for service lookup only. If
you just want LADP auth, you can get rid of it. If you want both, I'd
suggest doing one thing at a time - get rid of it for now until auth
works, then put it back in later.$ cat /usr/local/pgsql/data/pg_hba.conf
local all all trust
host all all 10.193.4.0/24 md5
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br
I assume this is all on one line. In which case it's incorrect - you
can't have both md5 and ldap on teh same line. It should be:
host all all 10.193.4.0/24 ldap ldap://....4) To create the usuary I make thus
# su - pgsql
% createuser scottAfter the made configurations, I try to effect login and is error of
password.remote# psql postgresql -h server -U scott -W
psql: FATAL: password authentication failed for user "scott"What you really need to look at here is the server logs, not the client
output. It should tell you what it's trying to do (in your case, it
would indicate that it's not trying to do LDAP) and how its' failing.//Magnus
On Mon, Feb 12, 2007 at 09:41:44PM -0200, Cristiano Panvel wrote:
Thanks Magnus,
Now I am passing the line thus pg_hba.conf
##
host all all 10.193.4.0/24 ldap
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br
##However error in login is occurring
% psql postgresql -h server -U scott -W
psql: FATAL: LDAP authentication failed for user "scott"
That's one step further. Now is the time you need to check the server
log.
I must pass plus some thing.
My base Ldap:
dc=cb,dc=sc,dc=gov,dc=brThe Bind:
ou=Users
Uh, you want to bind as an OU? That's not really possible? Or do you
mean that your actual bind shuold be as something like
cn=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br? If so, try something like
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;;ou=users,
(note the double semicolons - the first one is for the prefix, the
second one for suffix)
But to re-iterate, your server log shuold contain more information about
the problem.
//Magnus
I am not trying thus passed the usuary, and this users does not
function is active and functioned in the OpenLdap.
ldap ldap://ldap.cb.sc.gov.br/uid=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br
something is very strange
Cris.
Show quoted text
On 2/13/07, Magnus Hagander <magnus@hagander.net> wrote:
On Mon, Feb 12, 2007 at 09:41:44PM -0200, Cristiano Panvel wrote:
Thanks Magnus,
Now I am passing the line thus pg_hba.conf
##
host all all 10.193.4.0/24 ldap
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br
##However error in login is occurring
% psql postgresql -h server -U scott -W
psql: FATAL: LDAP authentication failed for user "scott"That's one step further. Now is the time you need to check the server
log.I must pass plus some thing.
My base Ldap:
dc=cb,dc=sc,dc=gov,dc=brThe Bind:
ou=UsersUh, you want to bind as an OU? That's not really possible? Or do you
mean that your actual bind shuold be as something like
cn=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br? If so, try something like
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;;ou=users,(note the double semicolons - the first one is for the prefix, the
second one for suffix)But to re-iterate, your server log shuold contain more information about
the problem.//Magnus
Fisrt, you still have not shown us the output in the server log. That
is still where you will see more information about why it's failing.
Second, if that's what you want, you should probably try:
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;uid=;ou=users,
Or something along that line.
//Magnus
Show quoted text
On Tue, Feb 13, 2007 at 11:49:54AM -0200, Cristiano Panvel wrote:
I am not trying thus passed the usuary, and this users does not
function is active and functioned in the OpenLdap.ldap ldap://ldap.cb.sc.gov.br/uid=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br
something is very strange
Cris.
On 2/13/07, Magnus Hagander <magnus@hagander.net> wrote:
On Mon, Feb 12, 2007 at 09:41:44PM -0200, Cristiano Panvel wrote:
Thanks Magnus,
Now I am passing the line thus pg_hba.conf
##
host all all 10.193.4.0/24 ldap
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br
##However error in login is occurring
% psql postgresql -h server -U scott -W
psql: FATAL: LDAP authentication failed for user "scott"That's one step further. Now is the time you need to check the server
log.I must pass plus some thing.
My base Ldap:
dc=cb,dc=sc,dc=gov,dc=brThe Bind:
ou=UsersUh, you want to bind as an OU? That's not really possible? Or do you
mean that your actual bind shuold be as something like
cn=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br? If so, try something like
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;;ou=users,(note the double semicolons - the first one is for the prefix, the
second one for suffix)But to re-iterate, your server log shuold contain more information about
the problem.//Magnus
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings
It does not appear nothing in log, only in /var/log/message the error
of failed in login.
Feb 13 12:04:16 fns4 postgres[7055]: [4-1] FATAL: LDAP authentication
failed for user "scott"
Feb 13 12:04:20 fns4 postgres[7056]: [4-1] FATAL: LDAP authentication
failed for user "scott"
Feb 13 12:04:20 fns4 postgres[7057]: [4-1] FATAL: LDAP authentication
failed for user "scott"
Feb 13 12:45:57 fns4 postgres[7216]: [4-1] FATAL: LDAP authentication
failed for user "sflo"
Feb 13 12:46:10 fns4 postgres[7223]: [4-1] FATAL: LDAP authentication
failed for user "dbadm"
Cris.
Show quoted text
On 2/13/07, Magnus Hagander <magnus@hagander.net> wrote:
Fisrt, you still have not shown us the output in the server log. That
is still where you will see more information about why it's failing.Second, if that's what you want, you should probably try:
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;uid=;ou=users,Or something along that line.
//Magnus
On Tue, Feb 13, 2007 at 11:49:54AM -0200, Cristiano Panvel wrote:
I am not trying thus passed the usuary, and this users does not
function is active and functioned in the OpenLdap.ldap ldap://ldap.cb.sc.gov.br/uid=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br
something is very strange
Cris.
On 2/13/07, Magnus Hagander <magnus@hagander.net> wrote:
On Mon, Feb 12, 2007 at 09:41:44PM -0200, Cristiano Panvel wrote:
Thanks Magnus,
Now I am passing the line thus pg_hba.conf
##
host all all 10.193.4.0/24 ldap
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br
##However error in login is occurring
% psql postgresql -h server -U scott -W
psql: FATAL: LDAP authentication failed for user "scott"That's one step further. Now is the time you need to check the server
log.I must pass plus some thing.
My base Ldap:
dc=cb,dc=sc,dc=gov,dc=brThe Bind:
ou=UsersUh, you want to bind as an OU? That's not really possible? Or do you
mean that your actual bind shuold be as something like
cn=scott,ou=Users,dc=cb,dc=sc,dc=gov,dc=br? If so, try something like
ldap://ldap.cb.sc.gov.br/dc=cb,dc=sc,dc=gov,dc=br;;ou=users,(note the double semicolons - the first one is for the prefix, the
second one for suffix)But to re-iterate, your server log shuold contain more information about
the problem.//Magnus
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings
Cristiano Panvel wrote:
It does not appear nothing in log, only in /var/log/message the error
of failed in login.Feb 13 12:04:16 fns4 postgres[7055]: [4-1] FATAL: LDAP authentication
failed for user "scott"
Feb 13 12:04:20 fns4 postgres[7056]: [4-1] FATAL: LDAP authentication
failed for user "scott"
Feb 13 12:04:20 fns4 postgres[7057]: [4-1] FATAL: LDAP authentication
failed for user "scott"
Feb 13 12:45:57 fns4 postgres[7216]: [4-1] FATAL: LDAP authentication
failed for user "sflo"
Feb 13 12:46:10 fns4 postgres[7223]: [4-1] FATAL: LDAP authentication
failed for user "dbadm"
There definitely should be more than that. Note however that most of
these things are not classified as errors, so they are logged at LOG
level. It may be that you're filtering so you're not showing LOG level
information, or perhaps your syslogd is configured to write them to a
different file.
AFAICS, the only code-path that does not log *why* it rejected the
authentication is the case when the client refuses to send a password.
//Magnus