[LDAPS] Test connection user with ldaps server

On Sat, 2021-02-13 at 10:36 +0000, João Gaspar wrote:

I have a PostgreSQL 13.1 (RHEL 8.3) Server and I want to configure the pg_hba.conf with a remote ldaps server.

My steps:

I create a PostgreSQL user1 with superuser role to test the ldaps authentication method in the terminal client.

Modify the pg_hba.conf to:

host all all 0.0.0.0/0 ldap ldapurl="ldaps://serverurl:636/DC=company,DC=example,DC=com?sAMAccountName?sub" ldapbinddn="user-to-do-autentication-ldap-
connection" ldapbindpasswd=" user-ldap-connection password-autentication"

Save and restart the PostgreSQL service.

Try to connect with the terminal client with psql -h postgresqlremoteserverhost -U user1 and after putting the password give the following error:
psql: FATAL: LDAP authentication failed for user "user1"

I validate the ldap user1 with ldapsearch (in the RHEL host) and the user1 appears in the ldapsearch correctly using the same ldapurl, ldapbinddn and ldapbinpasswd.

Checking the remote postgresql logs, the connection to the remote ldaps do the correct authentication but can´t search by the attribute sAMAccountName. Here is the PostgreSQL log:
could not search LDAP for filter "(sAMAccountName=user1)" on server "serverurl": Operations error 2021-02-13 10:02:54.679 WET [1127801] DETAIL: LDAP diagnostics: 000004DC: LdapErr: DSID-0C0907E9,
comment: To perform this operation a successful bind must be completed on the connection., data 0, v2580

Info: The user1 was created as well in the ldaps server with sAMAccountName user1.

It seems that the problem is in the pg_hba.conf how to tell the search, can anyone have similar problem ou resolution?

That error looks strange to me, but I am not an LDAP expert.

Your configuration seems fine to me, and if it gets to search, it must have bound to
"DC=company,DC=example,DC=com?sAMAccountName" as the "ldapbinddn" first.

What I would do is experiment with the "ldapsearch" executable from OpenLDAP and see
if you can reproduce the problem from the command line.

Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com

On Tue, Feb 16, 2021 at 4:32 AM Laurenz Albe <laurenz.albe@cybertec.at> wrote:

What I would do is experiment with the "ldapsearch" executable from OpenLDAP and see
if you can reproduce the problem from the command line.

Also, maybe try doing this as the "postgres" user (or whatever user
PostgreSQL runs as), just in case there are some environmental
differences affecting the behaviour.

Hi all,
thanks for the feedback.

I was able to do it successfully but I didn't understand yet if there is a
bug in pg_hba.conf LDAP link interpretation or a messy domain.

So as I said previously, the ldapsearch is finding correctly the user1 fine
using only the url dc=company,dc=example,dc=com
ldapsearch -x -H ldaps://serverurl -W -D "cn= user-to-do-
autentication-ldap-connection" -b "dc=company,dc=example,dc=com"
"sAMAccountName=user1"

Before (Can't search):
host all all 0.0.0.0/0 ldap
ldapurl="ldaps://serverurl:636/DC=company,DC=example,DC=com?sAMAccountName?sub"
ldapbinddn="user-to-do-autentication-ldap-connection" ldapbindpasswd="
user-ldap-connection password-autentication"

So what I did was add the Organization Unit (OU) and now works fine.

After:
host all all 0.0.0.0/0 ldap
ldapurl="ldaps://serverurl:636/OU=sub-company,DC=company,DC=example,DC=com?sAMAccountName?sub"
ldapbinddn="user-to-do-autentication-ldap-connection" ldapbindpasswd="
user-ldap-connection password-autentication"

Best regards,
João Gaspar

Thomas Munro <thomas.munro@gmail.com> escreveu no dia segunda, 15/02/2021
à(s) 22:39: