LDAP Authentication

Taha Ozket wrote:

Hi,

I have a ldap group, "pgsql-developers". I have an user (user1) member
of this group;

group
dn: cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x
objectClass: groupOfUniqueNames
objectClass: top
cn: SVN Committers
uniqueMember: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x

user
dn: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x
objectClass: person
objectClass: top
objectClass: uidObject
cn:: Denem1
sn:: Deneme2
uid: user1
userPassword:: e01ENX10WnhudnhscVIxZ1pIa0wzWm5ET3VnPT0=

I added this line to pg_hba.conf [1]

host all all 172.20.0.0/16 ldap
"ldap://localhost/basedn;cn=;,cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x"

But now postgresql requires my user1 must be define under
cn=pgsql-developers,ou=Groups.. But I want to give login permission to
pgsql-developers members.

How can I change this line for give login permission to
pgsql-developers members?

This is not something you currently can do. We can only do LDAP
authentication, not authorization. There's no way to restrict it to a
particular group.

One way to accomplish what you're trying to do is to have a script that
synchronizes the members of the group to PostgreSQL accounts (account
name and role membership only), and still use LDAP for authentication.
It doesn't work in every case, but it does work in most.

//Magnus

On Sun, 2008-06-29 at 17:58 +0200, Magnus Hagander wrote:

This is not something you currently can do. We can only do LDAP
authentication, not authorization. There's no way to restrict it to a
particular group.

We're very interested in this functionality (nss_ldap for PgSQL) -- so
if there's a joint-development effort that we can contribute man-hours
or development resources (challenge grant funding, hardware, etc.) to,
let us know.

~BAS

One way to accomplish what you're trying to do is to have a script
that
synchronizes the members of the group to PostgreSQL accounts (account
name and role membership only), and still use LDAP for authentication.

IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

2008-06-29_09:44:01-0400 Taha Ozket <tahaozket@gmail.com>:

I have a ldap group, "pgsql-developers". I have an user (user1) member
of this group;
...
How can I change this line for give login permission to
pgsql-developers members?

If you have pam available, you could do pam authentication, and
configure pam_ldap to enforce group membership.

--
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
-
I wish my computer would do what I want it to do - not what I tell it to do.

2008-07-03_21:17:50-0400 Ron Peterson <rpeterso@mtholyoke.edu>:

2008-06-29_09:44:01-0400 Taha Ozket <tahaozket@gmail.com>:

I have a ldap group, "pgsql-developers". I have an user (user1) member
of this group;
...
How can I change this line for give login permission to
pgsql-developers members?

If you have pam available, you could do pam authentication, and
configure pam_ldap to enforce group membership.

ps - FWIW, I typically make group membership an attribute of the user
object itself, rather than maintain groups objects and user objects
separately. Primarily because many apps aren't sophisticated enough to
deal with having them separated.

--
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
-
I wish my computer would do what I want it to do - not what I tell it to do.