LDAP authentication not working
Hi,
I'm running postgresql 9.1 on Debian and am trying to set up LDAP
authentication using the following configuration in pg_hba.conf:
hostssl testdb all 143.50.203.0/24 ldap ldapserver="wegc24.uni-graz.at"
ldapport=636 ldapbinddn="cn=nss,dc=uni-graz,dc=at"
ldapbindpasswd="<thepasswd>" ldapbasedn="dc=uni-graz,dc=at"
Trying to access testdb via psql fails with the following error in the log:
'''could not perform initial LDAP bind for ldapbinddn
"cn=nss,dc=uni-graz,dc=at" on server "wegc24.uni-graz.at": error code -1'''
Unfortunately I did not find what error code -1 means.
Ldapsearch works fine:
ldapsearch -W -H ldaps://wegc24.uni-graz.at:636/ -D
"CN=nss,DC=uni-graz,DC=at"
Interesting is also, that postgres seems to not even reach the ldap
server: If I change parameter ldapserver to a non-existing url it gives
the same error code -1.
Any help much appreciated!
Best,
Juergen
I don't think SSL support for LDAP is supported. Have you tried TLS on port
389?
On May 13, 2014 8:20 PM, "Jürgen Fuchsberger" <
juergen.fuchsberger@uni-graz.at> wrote:
Show quoted text
Hi,
I'm running postgresql 9.1 on Debian and am trying to set up LDAP
authentication using the following configuration in pg_hba.conf:hostssl testdb all 143.50.203.0/24 ldap ldapserver="
wegc24.uni-graz.at"
ldapport=636 ldapbinddn="cn=nss,dc=uni-graz,dc=at"
ldapbindpasswd="<thepasswd>" ldapbasedn="dc=uni-graz,dc=at"Trying to access testdb via psql fails with the following error in the log:
'''could not perform initial LDAP bind for ldapbinddn
"cn=nss,dc=uni-graz,dc=at" on server "wegc24.uni-graz.at": error code
-1'''Unfortunately I did not find what error code -1 means.
Ldapsearch works fine:
ldapsearch -W -H ldaps://wegc24.uni-graz.at:636/ -D
"CN=nss,DC=uni-graz,DC=at"
Interesting is also, that postgres seems to not even reach the ldap
server: If I change parameter ldapserver to a non-existing url it gives
the same error code -1.Any help much appreciated!
Best,
Juergen
On Wed, May 14, 2014 at 8:35 AM, Stephan Fabel <sfabel@hawaii.edu> wrote:
I don't think SSL support for LDAP is supported. Have you tried TLS on
port 389?
Correct, and you need to set ldaptls=1 to use that as well.
(And yes, unfortunately the LDAP error messages from openldap are
notoriously bad)
//Magnus
On May 13, 2014 8:20 PM, "Jürgen Fuchsberger" <
juergen.fuchsberger@uni-graz.at> wrote:Hi,
I'm running postgresql 9.1 on Debian and am trying to set up LDAP
authentication using the following configuration in pg_hba.conf:hostssl testdb all 143.50.203.0/24 ldap ldapserver="
wegc24.uni-graz.at"
ldapport=636 ldapbinddn="cn=nss,dc=uni-graz,dc=at"
ldapbindpasswd="<thepasswd>" ldapbasedn="dc=uni-graz,dc=at"Trying to access testdb via psql fails with the following error in the
log:
'''could not perform initial LDAP bind for ldapbinddn
"cn=nss,dc=uni-graz,dc=at" on server "wegc24.uni-graz.at": error code
-1'''Unfortunately I did not find what error code -1 means.
Ldapsearch works fine:
ldapsearch -W -H ldaps://wegc24.uni-graz.at:636/ -D
"CN=nss,DC=uni-graz,DC=at"
Interesting is also, that postgres seems to not even reach the ldap
server: If I change parameter ldapserver to a non-existing url it gives
the same error code -1.Any help much appreciated!
Best,
Juergen
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On Wed, May 14, 2014 at 11:48 AM, Jürgen Fuchsberger <
juergen.fuchsberger@uni-graz.at> wrote:
On 05/14/2014 09:10 AM, Magnus Hagander wrote:
On Wed, May 14, 2014 at 8:35 AM, Stephan Fabel <sfabel@hawaii.edu
<mailto:sfabel@hawaii.edu>> wrote:I don't think SSL support for LDAP is supported. Have you tried TLS
on port 389?Thanks for the hint, no wonder it does not work. Unfortunately this info
is not in the postgres documentation.
It is - indirectly, in the ldapurl documentation. "To use encrypted LDAP
connections, the ldaptls option has to be used in addition to ldapurl. The
ldaps URL scheme (direct SSL connection) is not supported."
But maybe it could be made more clear...
Correct, and you need to set ldaptls=1 to use that as well.
This does not work with our LDAP server (seems it is not configured to
support TLS)
That's strangely configured. The LDAP TLS support (in the protocol) is the
standardized one, and the "SSL wrapper" mode is not in the standard.
I *think* the "SSL wrapper" really is just that - wrap it in a standard SSL
connection. In which case it might work if you set up stunnel or something
like that to proxy the connection for you.
Any idea whether LDAP over SSL will be supported in future postgres
releases?
I am not aware of any such plans, but if you (or somebody else) is willing
to write a patch, I don't see a reason it would be rejected. Even though
it's non-standard, it's fairly widespread. I recall there being a reason it
wasn't added in the first place, but I don't recall what it was.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
Import Notes
Reply to msg id not found: 53733BF6.3040204@uni-graz.at
On May 14, 2014 12:56 AM, "Magnus Hagander" <magnus@hagander.net> wrote:
On Wed, May 14, 2014 at 11:48 AM, Jürgen Fuchsberger <
juergen.fuchsberger@uni-graz.at> wrote:
On 05/14/2014 09:10 AM, Magnus Hagander wrote:
On Wed, May 14, 2014 at 8:35 AM, Stephan Fabel <sfabel@hawaii.edu
<mailto:sfabel@hawaii.edu>> wrote:I don't think SSL support for LDAP is supported. Have you tried TLS
on port 389?Thanks for the hint, no wonder it does not work. Unfortunately this info
is not in the postgres documentation.It is - indirectly, in the ldapurl documentation. "To use encrypted LDAP
connections, the ldaptls option has to be used in addition to ldapurl. The
ldaps URL scheme (direct SSL connection) is not supported."
In the documentation for 9.1 ldapurl is not mentioned. That's what the OP
is using.
This does not work with our LDAP server (seems it is not configured to
support TLS)That's strangely configured. The LDAP TLS support (in the protocol) is
the standardized one, and the "SSL wrapper" mode is not in the standard.
Enabling TLS on OpenLDAP is trivial, especially if you have SSL enabled
already. Ask your SysAdmin.
I *think* the "SSL wrapper" really is just that - wrap it in a standard
SSL connection. In which case it might work if you set up stunnel or
something like that to proxy the connection for you.
That would work, but it shouldn't be necessary. Just enable TLS in
OpenLDAP.
Any idea whether LDAP over SSL will be supported in future postgres
releases?I am not aware of any such plans, but if you (or somebody else) is
willing to write a patch, I don't see a reason it would be rejected. Even
though it's non-standard, it's fairly widespread. I recall there being a
reason it wasn't added in the first place, but I don't recall what it was.
I agree that it would be nice to support the LDAPS scheme in PostgreSQL as
well.
-Stephan
-------- Original Message --------
Subject: Re: [GENERAL] LDAP authentication not working
Resent-From: <juergen.fuchsberger@uni-graz.at>
Date: Wed, 14 May 2014 06:47:45 -1000
From: Stephan Fabel <sfabel@hawaii.edu>
To: Magnus Hagander <magnus@hagander.net>
CC: Postgres List <pgsql-general@postgresql.org>, Jürgen Fuchsberger
<juergen.fuchsberger@uni-graz.at>On May 14, 2014 12:56 AM, "Magnus Hagander" <magnus@hagander.net
<mailto:magnus@hagander.net>> wrote:On Wed, May 14, 2014 at 11:48 AM, Jürgen Fuchsberger
<juergen.fuchsberger@uni-graz.at
<mailto:juergen.fuchsberger@uni-graz.at>> wrote:On 05/14/2014 09:10 AM, Magnus Hagander wrote:
On Wed, May 14, 2014 at 8:35 AM, Stephan Fabel <sfabel@hawaii.edu
<mailto:sfabel@hawaii.edu>
<mailto:sfabel@hawaii.edu <mailto:sfabel@hawaii.edu>>> wrote:
I don't think SSL support for LDAP is supported. Have you tried TLS
on port 389?This does not work with our LDAP server (seems it is not configured to
support TLS)Enabling TLS on OpenLDAP is trivial, especially if you have SSL enabled
already. Ask your SysAdmin.
I did - as far as he knows we can not use both at the same time.
Juergen.
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Import Notes
Reply to msg id not found: 537B9EE5.5070502@uni-graz.atReference msg id not found: 537B9EE5.5070502@uni-graz.at | Resolved by subject fallback