Participants
Noname
Noname
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1NonameNoname
Oct 26, 2015
#2Tom LaneTom Laneto Noname (#1)
Oct 26, 2015
#3NonameNonameto Tom Lane (#2)
Oct 26, 2015

PAM LDAP CREATE USER

Started by Nonameover 10 years ago3 messagesgeneral
Jump to latest
#1Noname
Noname
Aaron_Wright@selinc.com

I recently upgraded from 8.4 to 9.3, and my custom LDAP PAM module no
longer works.
In brief, my LDAP PAM module authenticates a centralized user and then
creates a matching database user, using a separate super user connection
to the database, before returning successfully from the PAM module. This
used to work beautifully, but now I get a FATAL error, "role %s does not
exist".
Did I depend on a "feature" that got fixed at some point? Is this an issue
with the connection already being started, so no new users are considered?
Is there a way to make this work?

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Noname (#1)
Re: PAM LDAP CREATE USER

Aaron_Wright@selinc.com writes:

I recently upgraded from 8.4 to 9.3, and my custom LDAP PAM module no
longer works.

8.4.what and 9.3.what? Have you checked the behavior in any other releases?

In brief, my LDAP PAM module authenticates a centralized user and then
creates a matching database user, using a separate super user connection
to the database, before returning successfully from the PAM module. This
used to work beautifully, but now I get a FATAL error, "role %s does not
exist".

That seems mighty Rube Goldbergian ... but it's not clear why it used to
work and doesn't anymore. If you'd said 9.4 I'd have guessed at a corner
case in catalog snapshot invalidation, but I think 9.3 would just be
looking for the role with SnapshotNow, which should pretty much always
work. (You're sure the transaction in the background is getting committed
in time, right? And it's being sent to the 9.3 DB not the 8.4 one?)

Also, just to clarify: this is a PAM auth module that just happens to talk
to some LDAP server behind the scenes, right? If Postgres thinks this is
LDAP auth method then some other possibilities open up --- but AFAICS
we've not touched the PAM code since 8.4.2.

regards, tom lane

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

#3Noname
Noname
Aaron_Wright@selinc.com
In reply to: Tom Lane (#2)
Re: PAM LDAP CREATE USER

From: Tom Lane <tgl@sss.pgh.pa.us>
Aaron_Wright@selinc.com writes:

I recently upgraded from 8.4 to 9.3, and my custom LDAP PAM module no
longer works.

8.4.what and 9.3.what?

8.4.16 to 9.3.4

Have you checked the behavior in any other releases?

Not yet. I was interested in getting a laugh test from the mailing list
first; to see if I was completely off my rocker or not.

In brief, my LDAP PAM module authenticates a centralized user and then

creates a matching database user, using a separate super user

connection

to the database, before returning successfully from the PAM module.

This

used to work beautifully, but now I get a FATAL error, "role %s does

not

exist".

That seems mighty Rube Goldbergian

From what I've researched this is the only way to accomplish what I'm
trying to. Everything I read online keeps telling me that in order for
LDAP to work with postgresql, the user must already exist in the database.
Most of the workarounds for this, involve a cron job that sucks up the
entire directory of users and creates matching users in the database
periodically.

That seems a little crazy to me, so I have a PAM LDAP module which creates
the users on the fly.

... but it's not clear why it used to
work and doesn't anymore. If you'd said 9.4 I'd have guessed at a

corner

case in catalog snapshot invalidation, but I think 9.3 would just be
looking for the role with SnapshotNow, which should pretty much always
work. (You're sure the transaction in the background is getting

committed

in time, right? And it's being sent to the 9.3 DB not the 8.4 one?)

The PAM LDAP module uses PQconnectdb to create a super user connection to
the database. It uses PQexec to run "CREATE USER 'user' PASSWORD NULL IN
ROLE 'role';". And finishes up with a PQfinish before PAM_SUCCESS is
returned to postgres. I'm a bit limited in my database knowledge, so
please let me know if that sequence is leaving something dangling. I see
the "CREATE USER" query in the pg_log file.

Also, if I try to log in a second time, it works fine. This is presumably
because the user now exists.

Also, just to clarify: this is a PAM auth module that just happens to

talk

to some LDAP server behind the scenes, right? If Postgres thinks this

is

LDAP auth method then some other possibilities open up --- but AFAICS
we've not touched the PAM code since 8.4.2.

You're correct, this is a PAM auth module that handles talking to the LDAP
server and authenticating the user.

pg_hba.conf line includes "host all all 0.0.0.0/0 pam pamservice=..." and
there's a matching pam configuration file.

I'm not familiar with the "LDAP auth method", but I don't think I can use
that as the documents say, "user must already exist" in that situation,
which is the same problem I'm trying to fix.

Show quoted text

regards, tom lane

← Back to Topics