Ldap – postgresql LDAP authentication

ldapopenldappostgresql

I am trying to give an LDAP authentication to my postgresql database.

Here is my pg_hba.conf config file

local all all md5
local all postgres md5
host  all all   0.0.0.0/0 ldap ldapserver=myldap_serverip ldapprefix="cn=" ldapsuffix=", ou=users, dc=example, dc=hyd, dc=com"

But when i am trying to connect with one of my LDAP user called test, i am getting the following error:

psql -U test
Password for user test:
psql: FATAL:  password authentication failed for user "test"

Note: I have created test user in postgresql.

I performed the below search and it is working

ldapsearch -W -D "cn=test user,ou=users,dc=example,dc=hyd,dc=com" -b "dc=example,dc=hyd,dc=com" "uid=test"

Best Answer

It seems you're testing the LDAP bind with a different dn than what postgres constructs:

cn=test user,ou=users,dc=example,dc=hyd,dc=com

"cn=" + "test" + ", ou=users, dc=example, dc=hyd, dc=com"

i.e. "test" doesn't match "test user"

Related Solutions

Postgresql – Enable both ident and md5 authentication in PostgreSQL

https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html indicates that the order of entries maters, specifically:

Since the pg_hba.conf records are examined sequentially for each connection attempt, the order of the records is significant. Typically, earlier records will have tight connection match parameters and weaker authentication methods, while later records will have looser match parameters and stronger authentication methods. For example, one might wish to use trust authentication for local TCP/IP connections but require a password for remote TCP/IP connections. In this case a record specifying trust authentication for connections from 127.0.0.1 would appear before a record specifying password authentication for a wider range of allowed client IP addresses.

(so try reversing the order - put the line you are adding at the top)

Postgresql – Facing authentication error on postgres 9.2 -> dblink functions

You need to specify the user parameter in the connect string, for example:

SELECT dblink_connect('host=127.0.0.1 port=5432 dbname=postgres user=postgres password=test')

otherwise it's taken from the user account's name and obviously it's not suitable in your case.

Best Answer

Related Solutions

Postgresql – Enable both ident and md5 authentication in PostgreSQL

Postgresql – Facing authentication error on postgres 9.2 -> dblink functions

Related Topic