0

I'm attempting to configure my Postgresql server 12.6 [Ubuntu 20.04 build] to do authenticated LDAP user authentication against my 2012 Active Directory tree via LDAP. I've set up my pg_hba.conf file here is my most recent attempt. I've also tried the ldapserver style setup and both get the same error results.

host all all all ldap ldapurl="ldap://stc.int:389/dc=stc,dc=int?sAMAccountName" ldapbinddn="CN=PostgreSQL Service Account,OU=Service Accounts,DC=stc,DC=int" ldapbindpasswd="<scrubed>"

When I try to log in, I get the following errors on the server:

2021-05-26 12:47:00.008 UTC [2767782] btyger-admin@btyger-admin LOG: could not search LDAP for filter "(sAMAccountName=btyger-admin)" on server "stc.int": Operations error 2021-05-26 12:47:00.008 UTC [2767782] btyger-admin@btyger-admin DETAIL: LDAP diagnostics: 000004DC: LdapErr: DSID-0C0907E9, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 2021-05-26 12:47:00.008 UTC [2767782] btyger-admin@btyger-admin FATAL: LDAP authentication failed for user "btyger-admin" 2021-05-26 12:47:00.008 UTC [2767782] btyger-admin@btyger-admin DETAIL: Connection matched pg_hba.conf line 106: "host all all all ldap ldapurl="ldap://stc.int:389/dc=stc,dc=int?sAMAccountName" ldapbinddn="CN=PostgreSQL Service Account,OU=Service Accounts,DC=stc,DC=int" ldapbindpasswd="<scrubed>""

I know that AD error happens when an LDAP client tries to do an unauthenticated search. I've verified the credentials with a ldapsearch command from the same machine and the parameter/credentials verify correctly.

Am I missing something here or am I seeing a bug?

Improve this question
1
  • have you verified both the bind account credentials as the user credentials? Commented May 29, 2021 at 11:07

2 Answers 2

Reset to default
0

longshot: set the scope to sub. Standard in this configuration is base.

From: the posgres ldap docs

ldapurl An RFC 4516 LDAP URL. This is an alternative way to write some of the other LDAP options in a more compact and standard form. The format is

ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]]

scope must be one of base, one, sub, typically the last. (The default is base, which is normally not useful in this application.) attribute can nominate a single attribute, in which case it is used as a value for ldapsearchattribute. If attribute is empty then filter can be used as a value for ldapsearchfilter."

Improve this answer
1
  • I did try that already. It didn't help. Commented Jun 2, 2021 at 17:58
0

I figured out the issue. It was a problem with Active Directory LDAP policies.

  • One policy said I couldn't search without an authenticated user.
  • Another said I wasn't allowed to bind over an unsecured LDAP.
  • Thought I was using a different TLS certificate

So when I tried to bind as the service account over LDAPS, I was hitting the wrong cert error. When I tried to bind over unsecured LDAP, I was the not allowed to bind over unsecured LDAP.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.