On Sat, 2021-02-13 at 10:36 +0000, João Gaspar wrote: > I have a PostgreSQL 13.1 (RHEL 8.3) Server and I want to configure the > pg_hba.conf with a remote ldaps server. > > My steps: > > I create a PostgreSQL user1 with superuser role to test the ldaps > authentication method in the terminal client. > > Modify the pg_hba.conf to: > > host all all 0.0.0.0/0 ldap > ldapurl="ldaps://serverurl:636/DC=company,DC=example,DC=com?sAMAccountName?sub" > ldapbinddn="user-to-do-autentication-ldap- > connection" ldapbindpasswd=" user-ldap-connection password-autentication" > > Save and restart the PostgreSQL service. > > Try to connect with the terminal client with psql -h > postgresqlremoteserverhost -U user1 and after putting the password give the > following error: > psql: FATAL: LDAP authentication failed for user "user1" > > I validate the ldap user1 with ldapsearch (in the RHEL host) and the user1 > appears in the ldapsearch correctly using the same ldapurl, ldapbinddn and > ldapbinpasswd. > > Checking the remote postgresql logs, the connection to the remote ldaps do > the correct authentication but can´t search by the attribute sAMAccountName. > Here is the PostgreSQL log: > could not search LDAP for filter "(sAMAccountName=user1)" on server > "serverurl": Operations error 2021-02-13 10:02:54.679 WET [1127801] DETAIL: > LDAP diagnostics: 000004DC: LdapErr: DSID-0C0907E9, > comment: To perform this operation a successful bind must be completed on the > connection., data 0, v2580 > > Info: The user1 was created as well in the ldaps server with sAMAccountName > user1. > > It seems that the problem is in the pg_hba.conf how to tell the search, can > anyone have similar problem ou resolution?
That error looks strange to me, but I am not an LDAP expert. Your configuration seems fine to me, and if it gets to search, it must have bound to "DC=company,DC=example,DC=com?sAMAccountName" as the "ldapbinddn" first. What I would do is experiment with the "ldapsearch" executable from OpenLDAP and see if you can reproduce the problem from the command line. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
