Participants
Chris Stephens
Chris Stephens
Thomas Munro
Thomas Munro
Paul Förster
Paul Förster
Stephen Frost
Stephen Frost
Attachments
Show all attachments
Thread Outline
#1Chris StephensChris Stephens
Jun 08, 2020
#2...#5
Thomas MunroChris StephensStephen Frost
to Chris Stephens (#1)
Jun 09, 2020
#2Thomas MunroThomas Munroto Chris Stephens (#1)
Jun 09, 2020
#4Chris StephensChris Stephensto Thomas Munro (#2)
Jun 09, 2020
#5Stephen FrostStephen Frostto Chris Stephens (#4)
Jun 09, 2020
#3Paul FörsterPaul Försterto Chris Stephens (#1)
Jun 09, 2020

troubleshooting postgresql ldap authentication

Started by Chris Stephensalmost 6 years ago5 messagesgeneral
Jump to latest
#1Chris Stephens
Chris Stephens
cstephens16@gmail.com

posgresql 12
centos 7

i am trying to configure ldap authentication.

i have the following pg_hba.conf entry (server and basedn are correct but
not shown):

hostssl all all 0.0.0.0/0 ldap
ldapserver="ldaps://xxx" ldapbasedn="yyy" ldaptls=1

when i attempt to authenticate, i see the following in pg logs:

2020-06-08 15:58:43 CDT [20235]: [1-1]
user=[unknown],db=[unknown],app=[unknown],client=zzz LOG: connection
received: host=zzz port=12378
2020-06-08 15:58:43 CDT [20235]: [2-1]
user=uuu,db=postgres,app=[unknown],client=zzz LOG: could not initialize
LDAP: Bad parameter to an ldap routine
2020-06-08 15:58:43 CDT [20235]: [3-1]
user=uuu,db=postgres,app=[unknown],client=zzz FATAL: LDAP authentication
failed for user "uuu"
2020-06-08 15:58:43 CDT [20235]: [4-1]
user=uuu,db=postgres,app=[unknown],client=zzz DETAIL: Connection matched
pg_hba.conf line 90: "hostssl all all 0.0.0.0/0
ldap ldapserver="ldaps://xxx" ldapbasedn="yyy" ldaptls=1"

does anyone know what might be causing "LDAP: Bad parameter to an ldap
routine"

ldapsearch works fine w/ the supplied ldapserver and base dn.

#2Thomas Munro
Thomas Munro
thomas.munro@gmail.com
In reply to: Chris Stephens (#1)
Re: troubleshooting postgresql ldap authentication

On Tue, Jun 9, 2020 at 9:05 AM Chris Stephens <cstephens16@gmail.com> wrote:

hostssl all all 0.0.0.0/0 ldap ldapserver="ldaps://xxx" ldapbasedn="yyy" ldaptls=1

does anyone know what might be causing "LDAP: Bad parameter to an ldap routine"

You probably want ldapurl="ldaps://xxx" (note: ldapurl, not
ldapserver). Or you could use ldapscheme="ldaps" and
ldapserver="xxx".

#3Paul Förster
Paul Förster
paul.foerster@gmail.com
In reply to: Chris Stephens (#1)
Re: troubleshooting postgresql ldap authentication

Hi Chris,

On 08. Jun, 2020, at 23:05, Chris Stephens <cstephens16@gmail.com> wrote:
posgresql 12
centos 7

here: PostgreSQL 11.6 & 12.3, SLES 12 & 15

hostssl all all 0.0.0.0/0 ldap ldapserver="ldaps://xxx" ldapbasedn="yyy" ldaptls=1

we use:

hostssl all all 0.0.0.0/0 ldap ldapserver="host1 host2" ldapport=389 ldapsearch="dc=domain,dc=example,dc=com" ldapsearchattribute="uid" ldaptls=1

Works pretty well.

Cheers,
Paul

#4Chris Stephens
Chris Stephens
cstephens16@gmail.com
In reply to: Thomas Munro (#2)
Re: troubleshooting postgresql ldap authentication

yes, shortly after i sent this out to the list, one of our security
administrators suggested ldapscheme. I just tested and ldapurl works as
well.

the security admin explained it like this:

"since we are using port 636 I know that it needs the TLS connection in
place before LDAP commands. starttls does the opposite. allows an LDAP
connection to "upgrade" to TLS. so the previous errors were simply it
unable to connect to server."

i'm guessing information like that doesn't belong in postgresql
documentation but it would have been useful yesterday. :)

thanks for the response! i just recently made the switch to postgresql
after 20 years of mainly Oracle. during that time, the oracle-l mailing
list was invaluable as a learning tool and as a way to get help
when needed. it's great to know there's a similar mailing list in the
postgresql community!

On Mon, Jun 8, 2020 at 7:41 PM Thomas Munro <thomas.munro@gmail.com> wrote:

Show quoted text

On Tue, Jun 9, 2020 at 9:05 AM Chris Stephens <cstephens16@gmail.com>
wrote:

hostssl all all 0.0.0.0/0 ldap

ldapserver="ldaps://xxx" ldapbasedn="yyy" ldaptls=1

does anyone know what might be causing "LDAP: Bad parameter to an ldap

routine"

You probably want ldapurl="ldaps://xxx" (note: ldapurl, not
ldapserver). Or you could use ldapscheme="ldaps" and
ldapserver="xxx".

#5Stephen Frost
Stephen Frost
sfrost@snowman.net
In reply to: Chris Stephens (#4)
Re: troubleshooting postgresql ldap authentication

Greetings,

* Chris Stephens (cstephens16@gmail.com) wrote:

yes, shortly after i sent this out to the list, one of our security
administrators suggested ldapscheme. I just tested and ldapurl works as
well.

the security admin explained it like this:

"since we are using port 636 I know that it needs the TLS connection in
place before LDAP commands. starttls does the opposite. allows an LDAP
connection to "upgrade" to TLS. so the previous errors were simply it
unable to connect to server."

i'm guessing information like that doesn't belong in postgresql
documentation but it would have been useful yesterday. :)

Might be interesting to know if the security administrator also
understands that the way ldap-based auth works (at least in PG) is that
the user's password is sent to the PG server where it could potentially
be hijacked if the PG server is compromised..

If you're in an active directory environment, you really should be using
the 'gss' method instead, which is Kerberos underneath and avoids that
issue.

thanks for the response! i just recently made the switch to postgresql
after 20 years of mainly Oracle. during that time, the oracle-l mailing
list was invaluable as a learning tool and as a way to get help
when needed. it's great to know there's a similar mailing list in the
postgresql community!

You're certainly welcome here! One thing to mention is that, as you may
have noticed, we communicate on these lists by responding in-line rather
than 'top-posting', since it makes things easier for everyone else on
the list to follow.

Thanks, and welcome!

Stephen

← Back to Topics