Обсуждение: BUG #14040: Cannot authenticate against Active Directory in search+bind mode using domain root naming context
BUG #14040: Cannot authenticate against Active Directory in search+bind mode using domain root naming context
От
xenophon@irtnog.org
Дата:
The following bug has been logged on the website: Bug reference: 14040 Logged by: Matthew X. Economou Email address: xenophon@irtnog.org PostgreSQL version: 9.2.15 Operating system: CentOS 7 Description: When authenticating PostgreSQL login roles against an Active Directory domain in search+bind mode using the domain root naming context (NC) as the search base, e.g., with an entry similar to the following in pg_hba.conf - `host all all 0.0.0.0/0 ldap ldapserver=example.com ldapbasedn="dc=example,dc=com" ldapbinddn=pgsql@EXAMPLE.COM ldapbindpasswd=12345skrooB ldapsearchattribute=sAMAccountName ldaptls=1`, PostgreSQL will fail to authenticate the user even though the user provided the correct credentials. 1 - PostgreSQL's LDAP client will connect to a domain controller, bind using the provided ldapbinddn/ldapbindpasswd, and perform a subtree search from the domain root NC. The domain controller will return the correct user object plus referrals to the other Active Directory NCs, e.g., `cn=Configuration,dc=example,dc=com`, `cn=DomainDnsZones,dc=example,dc=com`, and `cn=ForestDnsZones,dc=example,dc=com`. 2 - The LDAP client will chase the referrals automatically, but it binds to each NC anonymously, after which it performs the same subtree search. These searches fail because Active Directory does not permit anonymous directory searches by default. 3 - The LDAP client does not attempt to re-bind using the original search results plus the user's password. It seems that the search failures in step 2 trump the successful search results in step 1. As a workaround one may specify a non-root search base, e.g., `ldapbasedn="ou=MyBusiness,dc=example,dc=com"`, which being more specific causes the domain controller to not include referrals to other NCs. Another workaround would be to disable referral chasing. However, it does not appear possible to disable LDAP referrals via postgresql.conf. This should be possible in the LDAP client library via ldap_set_option, i.e., by setting `LDAP_OPT_REFERRALS` to `LDAP_OPT_OFF`. The expected behavior is that PostgreSQL would perform all searches using the provided credentials and that it would not ignore successful search results.