Participants
Zechman, Derek S
Zechman, Derek S
Tom Lane
Tom Lane
Euler Taveira
Euler Taveira
Attachments
Show all attachments
Thread Outline
#1Zechman, Derek SZechman, Derek S
Jul 24, 2023
#2Tom LaneTom Laneto Zechman, Derek S (#1)
Jul 24, 2023
#3Zechman, Derek SZechman, Derek Sto Tom Lane (#2)
Aug 01, 2023
#4Euler TaveiraEuler Taveirato Zechman, Derek S (#3)
Aug 02, 2023

pg_hba.conf "authentication file token too long, skipping"

Started by Zechman, Derek Sover 2 years ago4 messagesbugs
Jump to latest
#1Zechman, Derek S
Zechman, Derek S
Derek.S.Zechman@snapon.com

Hello and thank you in advance for your time.

* We use ldap to authenticate users.

* We utilize ldapsearchfilter to look for a user in a specified Security Group.

* Some clusters have multiple security groups that have been authorized to login.

* It seems that after we have more than 2 security groups we hit limit on the pg_hba entry length

* Here is our entry - I have put x's that correspond to exact character lengths. Our ldapbindpasswd is 30 characters

hostssl all +fnc_personal_account_rl XXX.XX.X.X/16 ldap ldapserver=xxxx-xxxx-xx-xx.mydomainname.com ldapbasedn="OU=Users,OU=Primary,OU=All,DC=mydomainname,DC=com" ldapbinddn="CN=abc_postgres_sa,OU=T1-ServiceAccounts,OU=Tier1,OU=Admin,OU=All,DC=mydomainname,DC=com" ldapbindpasswd="30characterpassword" ldapsearchfilter="(&(objectClass=user)(sAMAccountName=$username)(|(memberof=CN=xxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=XxxxxxXXXx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=xxxxxxxxxxxxxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)))"

* And then here is the error that we get with reload. If we stop and then try to start the cluster will not start at all.

2023-07-24 10:30:01.063 EDT,,,720234,,64be8ac0.afd6a,7,,2023-07-24 10:29:20 EDT,,0,LOG,00000,"received SIGHUP, reloading configuration files",,,,,,,,"SIGHUP_handler, postmaster.c:2717","","postmaster",,0
2023-07-24 10:30:01.064 EDT,,,720234,,64be8ac0.afd6a,8,,2023-07-24 10:29:20 EDT,,0,LOG,F0000,"authentication file token too long, skipping: ""ldapsearchfilter=(&(objectClass=user)(sAMAccountName=$username)(|(memberof=CN=xxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=XxxxxxXXXx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=xxxxxxxxxxxxxx,OU=Groups,OU=Primar""",,,,,,,,"next_token, hba.c:242","","postmaster",,0
2023-07-24 10:30:01.064 EDT,,,720234,,64be8ac0.afd6a,9,,2023-07-24 10:29:20 EDT,,0,LOG,00000,"pg_hba.conf was not reloaded",,,,,,,,"SIGHUP_handler, postmaster.c:2743","","postmaster",,0

Here is my relevant environment details:
postgres --version (have tried on both below versions - same error)
postgres (PostgreSQL) 14.8
postgres (PostgreSQL) 15.3

NAME="Red Hat Enterprise Linux"
VERSION="8.8 (Ootpa)"
Kernel - 4.18.0-477.15.1.el8_8.x86_64

* This entry works - which only has 2 Security groups defined

hostssl all +fnc_personal_account_rl XXX.XX.X.X/16 ldap ldapserver=xxxx-xxxx-xx-xx.mydomainname.com ldapbasedn="OU=Users,OU=Primary,OU=All,DC=mydomainname,DC=com" ldapbinddn="CN=abc_postgres_sa,OU=T1-ServiceAccounts,OU=Tier1,OU=Admin,OU=All,DC=mydomainname,DC=com" ldapbindpasswd="30characterpassword" ldapsearchfilter="(&(objectClass=user)(sAMAccountName=$username)(|(memberof=CN=XxxxxxXXXx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=xxxxxxxxxxxxxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)))"

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Zechman, Derek S (#1)
Re: pg_hba.conf "authentication file token too long, skipping"

"Zechman, Derek S" <Derek.S.Zechman@snapon.com> writes:

hostssl all +fnc_personal_account_rl XXX.XX.X.X/16 ldap ldapserver=xxxx-xxxx-xx-xx.mydomainname.com ldapbasedn="OU=Users,OU=Primary,OU=All,DC=mydomainname,DC=com" ldapbinddn="CN=abc_postgres_sa,OU=T1-ServiceAccounts,OU=Tier1,OU=Admin,OU=All,DC=mydomainname,DC=com" ldapbindpasswd="30characterpassword" ldapsearchfilter="(&(objectClass=user)(sAMAccountName=$username)(|(memberof=CN=xxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=XxxxxxXXXx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=xxxxxxxxxxxxxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)))"

Yeah, your ldapsearchfilter option is hitting the 256-byte MAX_TOKEN
limit in hba.c. A one-line improvement would be to increase that
constant, but it doesn't look very much harder to get rid of that
fixed-size buffer altogether in favor of a StringInfo.

regards, tom lane

#3Zechman, Derek S
Zechman, Derek S
Derek.S.Zechman@snapon.com
In reply to: Tom Lane (#2)
RE: pg_hba.conf "authentication file token too long, skipping"

" A one-line improvement would be to increase that constant, but it doesn't look very much harder to get rid of that fixed-size buffer altogether in favor of a StringInfo."

Is this something that can be included in the next patch?

-----Original Message-----
From: Tom Lane <tgl@sss.pgh.pa.us>
Sent: Monday, July 24, 2023 12:52 PM
To: Zechman, Derek S <Derek.S.Zechman@snapon.com>
Cc: pgsql-bugs@lists.postgresql.org
Subject: Re: pg_hba.conf "authentication file token too long, skipping"

CAUTION: This email originated from outside of Snap-on. Do not click on links or open attachments unless you have validated the sender, even if it is a known contact. Contact the sender by phone to validate the contents.

"Zechman, Derek S" <Derek.S.Zechman@snapon.com> writes:

hostssl all +fnc_personal_account_rl XXX.XX.X.X/16 ldap ldapserver=xxxx-xxxx-xx-xx.mydomainname.com ldapbasedn="OU=Users,OU=Primary,OU=All,DC=mydomainname,DC=com" ldapbinddn="CN=abc_postgres_sa,OU=T1-ServiceAccounts,OU=Tier1,OU=Admin,OU=All,DC=mydomainname,DC=com" ldapbindpasswd="30characterpassword" ldapsearchfilter="(&(objectClass=user)(sAMAccountName=$username)(|(memberof=CN=xxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=XxxxxxXXXx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)(memberof=CN=xxxxxxxxxxxxxx,OU=Groups,OU=Primary,OU=All,DC=mydomainname,DC=com)))"

Yeah, your ldapsearchfilter option is hitting the 256-byte MAX_TOKEN limit in hba.c. A one-line improvement would be to increase that constant, but it doesn't look very much harder to get rid of that fixed-size buffer altogether in favor of a StringInfo.

regards, tom lane

#4Euler Taveira
Euler Taveira
euler@eulerto.com
In reply to: Zechman, Derek S (#3)
Re: pg_hba.conf "authentication file token too long, skipping"

On Tue, Aug 1, 2023, at 1:29 PM, Zechman, Derek S wrote:

" A one-line improvement would be to increase that constant, but it doesn't look very much harder to get rid of that fixed-size buffer altogether in favor of a StringInfo."

Is this something that can be included in the next patch?

Tom pushed patches for all supported back branches that raises the token length
from 256 to 10240 [1]https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=313ceda2fe2ee8dd903ad4773f54de14807807c6. If it is a v13 or earlier [2]https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=0660f74e861d0dc942af3e0b5f88cb2f0c72aee5, it also requires to
change the limit of line length (from 8192 to 20480). In v16 this limit was
completely eliminated using StringInfo [3]https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=de3f0e3fe0e7d44620111c5723504a3a6e8c046e.

In summary, this improvement will be available in the next minor releases.

[1]: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=313ceda2fe2ee8dd903ad4773f54de14807807c6
[2]: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=0660f74e861d0dc942af3e0b5f88cb2f0c72aee5
[3]: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=de3f0e3fe0e7d44620111c5723504a3a6e8c046e

--
Euler Taveira
EDB https://www.enterprisedb.com/

← Back to Topics