BUG #16234: LDAP Query

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

BUG #16234: LDAP Query

PG Bug reporting form
The following bug has been logged on the website:

Bug reference:      16234
Logged by:          Sujith kumar
Email address:      [hidden email]
PostgreSQL version: 9.5.20
Operating system:   RHEL 7.7
Description:        

Hi Team,

I have a requirement to do authentication through LDAP, the LDAP query
should go to two different LDAP servers with dedicated binding users (
different for two LDAP servers) , if the user is not available in first LDAP
then it should check in second LDAP. But here as per hba file , it won't
work in this model ( If there is no successful search in first hope, it will
throw error).

So we have to do multiple query in the LDAP query string, how we can do
this?

Regards,
Sujith Kumar.S

Reply | Threaded
Open this post in threaded view
|

Re: BUG #16234: LDAP Query

Thomas Munro-5
On Tue, Jan 28, 2020 at 3:56 AM PG Bug reporting form
<[hidden email]> wrote:

> The following bug has been logged on the website:
>
> Bug reference:      16234
> Logged by:          Sujith kumar
> Email address:      [hidden email]
> PostgreSQL version: 9.5.20
> Operating system:   RHEL 7.7
> Description:
>
> Hi Team,
>
> I have a requirement to do authentication through LDAP, the LDAP query
> should go to two different LDAP servers with dedicated binding users (
> different for two LDAP servers) , if the user is not available in first LDAP
> then it should check in second LDAP. But here as per hba file , it won't
> work in this model ( If there is no successful search in first hope, it will
> throw error).
>
> So we have to do multiple query in the LDAP query string, how we can do
> this?

Hi Sujith,

This isn't a bug report, it's a question, so it belongs on the
pgsql-general mailing list, not the pgsql-bugs mailing list (which
you've reached via the bug reporting form).

But since I'm here:  I don't think you can do that with the built-in
LDAP support.  It does allow for multiple hostnames, but it doesn't
allow for different binding users.  Later PostgreSQL release added
some more flexibility, but still not that.  Furthermore, pg_hba.conf
doesn't have a way to consider multiple lines (it can't try one line,
then try a second line if that fails, ..., it only tries the first
matching line and if it fails, it's game over).

One approach would be to use PostgreSQL's PAM authentication mode
instead.  PAM does have non-terminating "sufficient" rules (only one
needs to succeed).  You'd need a pg_hba.conf line that says "ask PAM,
my service name is postgresql", and then a file /etc/pam.d/postgresql
that has something like (completely untested, just guessing here):

auth sufficient pam_ldap.so config=/path/first-ldap.conf
auth sufficient pam_ldap.so config=/path/second-ldap.conf
account required pam_permit.so

The referenced config files could contain different binddn lines and
whatever else you need.  I don't know the details (see man pam_ldap).
Or perhaps you could use pam_exec.so instead, and point it at a Turing
machine of your own design that says yes or no, though it's probably
better to stick to ready-made solutions for authentication where
possible.

Standard free warning: whenever using LDAP, be aware of cleartext
passwords visible to everyone on your network if you don't use
SSL/TLS, even if you are using SSL for the connection between client
and PostgreSQL.


Reply | Threaded
Open this post in threaded view
|

Re: BUG #16234: LDAP Query

Stephen Frost
* PG Bug reporting form ([hidden email]) wrote:
> I have a requirement to do authentication through LDAP, the LDAP query
> should go to two different LDAP servers with dedicated binding users (
> different for two LDAP servers) , if the user is not available in first LDAP
> then it should check in second LDAP. But here as per hba file , it won't
> work in this model ( If there is no successful search in first hope, it will
> throw error).
>
> So we have to do multiple query in the LDAP query string, how we can do
> this?

What kind of setup is this, that you have two LDAP servers involved..?
That's certainly not a common setup that I've seen..

If what you actually have are two different Active Directory domains and
you want users to be able to authenticate from either one, then you
would typically place the PG server in one of them and then create a
cross-realm trust between the two AD realms, so that users can gain
access to resources in the other realm.

In other words, if you have:

- ABC.COM realm
- XYZ.COM realm

and your users exist in ABC.COM, and your PG server is in XYZ.COM, then
you'd need a cross-realm trust, whereby XYZ.COM will trust the users
being presented from ABC.COM.  You can also enable the cross-realm trust
in the other direction, if you want.  Of course, users in XYZ.COM will
already be able to authenticate to the PG server in the same realm.

Note that the approach outlined above, and in general the better
approach to use here, does *not* use LDAP; if you're in an environment
like Active Directory which supports kerberos/GSS natively, and
configure PG to use GSS.

* Thomas Munro ([hidden email]) wrote:
> Standard free warning: whenever using LDAP, be aware of cleartext
> passwords visible to everyone on your network if you don't use
> SSL/TLS, even if you are using SSL for the connection between client
> and PostgreSQL.

Further- no matter what you do, if you're using LDAP for auth with PG,
the PG server will see the user's password, in cleartext, meaning that
if the PG server is ever compromised, every user who logs into it after
that will have their full network credentials stolen.  The same is true
with the PAM solution presented earlier.  Basically, don't do it, it's
not secure.

Thanks,

Stephen

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: BUG #16234: LDAP Query

Albin, Lloyd P
Hi Sujith,

* PG Bug reporting form ([hidden email]) wrote:

> > I have a requirement to do authentication through LDAP, the LDAP query
> > should go to two different LDAP servers with dedicated binding users (
> > different for two LDAP servers) , if the user is not available in
> > first LDAP then it should check in second LDAP. But here as per hba
> > file , it won't work in this model ( If there is no successful search
> > in first hope, it will throw error).
> >
> > So we have to do multiple query in the LDAP query string, how we can
> > do this?
>
> What kind of setup is this, that you have two LDAP servers involved..?
> That's certainly not a common setup that I've seen..

I have seen his type of setup before when companies have two different LDAP servers.
One LDAP Server for Employees
One LDAP Server for Non-Employees and System Accounts

The way to make this work, is to pick one of the groups of people and create a Postgres group and add all those users to that group. Let's call the Postgres group  ldap1_group.

You now need to duplicate each line in your pg_hba.conf file. The first line you will point to ldap1 and the second line you will point to ldap2. Then in the first line update the user field where you might normally have "all" to "+ldap1_group". The + tells Postgres that this is a group and to use this authentication method for everybody in that Postgres group.

Hope this helps,
Lloyd Albin