Обсуждение: [GENERAL] LDAP authentication without OU in ldapbasedn
Good morning all,
I can’t seem to get LDAP Authentication working without an OU in the ldapbasedn. My users are spread across multiple OUs without a common root OU which is why I’m trying to authenticate with just the DC.
With pg_hba.conf like this, I can connect successfully from psql…
local all all ldap ldapserver=192.168.xxx.xxx ldapbasedn="OU=DB_Accounts,DC=acme,DC=local" ldapbinddn="CN=XXXX ,OU=DB_Accounts,DC=acme,DC=local" ldapsearchattribute=sAMAccountName ldapbindpasswd=xxxxxxxxxxxxxxx
But if I remove the OU from the ldapbasedn, like this …
local all all ldap ldapserver=192.168.xxx.xxx ldapbasedn="DC=acme,DC=local" ldapbinddn="CN=XXXX ,OU=DB_Accounts,DC=acme,DC=local" ldapsearchattribute=sAMAccountName ldapbindpasswd=xxxxxxxxxxxxxxx
Then I get:
psql: FATAL: LDAP authentication failed for user "xxxxxxxx"
select VERSION();
version
----------------------------------------------------------------------------------------------------------
PostgreSQL 9.6.2 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-11), 64-bit
psql --version
psql (PostgreSQL) 9.6.2
Kind Regards,
Greg
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Greetings, * Gregory Nicol (Gregory.Nicol@Medbank.com.mt) wrote: > I can't seem to get LDAP Authentication working without an OU in the ldapbasedn. My users are spread across multiple OUswithout a common root OU which is why I'm trying to authenticate with just the DC. As it looks like you're working in a Microsoft Windows AD environment, I'd strongly suggest you consider using Kerberos/GSS authentication instead of LDAP. With LDAP, the user has to constantly re-type their password and the password is sent to the PostgreSQL server. Neither of these are ideal and both are avoided by simply using Kerberos, which is what AD uses. Authentication using LDAP really shouldn't ever be done in an environment which has Active Directory. Thanks! Stephen
Вложения
Good morning all,
I can’t seem to get LDAP Authentication working without an OU in the ldapbasedn. My users are spread across multiple OUs without a common root OU which is why I’m trying to authenticate with just the DC.
Simple bind mode works nicely. Thank you.
From: Jeff Janes [mailto:jeff.janes@gmail.com]
Sent: 14 July 2017 03:55
To: Gregory Nicol <Gregory.Nicol@Medbank.com.mt>
Cc: pgsql-general@postgresql.org
Subject: Re: [GENERAL] LDAP authentication without OU in ldapbasedn
On Thu, Jul 13, 2017 at 2:46 AM, Gregory Nicol <Gregory.Nicol@medbank.com.mt> wrote:
Good morning all,
I can’t seem to get LDAP Authentication working without an OU in the ldapbasedn. My users are spread across multiple OUs without a common root OU which is why I’m trying to authenticate with just the DC.
Have you tried using the "simple bind mode" where you specify just the ldapsuffix and the ldapserver?
Cheers,
Jeff
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.