Re: BUG #16064: Ldap Authentication failing with pg_hba.conf entry

Greetings,

* PG Bug reporting form (noreply@postgresql.org) wrote:
> Can any one please guide me what is the issue with my ldap authentication on
> Postgresql 10.10. Here is the Entry for ldap in pg_hba.conf file
>
> host      all           all           XX.XX.XXX.XX/32         ldap
> ldapserver=XX.XX.XXX.XX ldapbasedn="ou=People,dc=internal,dc=com"
> ldapbinddn="cn=Tom,ou=People,dc=internal,dc=com" ldapbindpasswd="Test123#"
> ldapport=389
>
> I created the same user "Tom" in the Postgres database too . Also created
> the User "Tom" other user "svc-ldap" in active directory too.
>
> When I am trying to connect to PostgreSQL server from other remote server,
> the authentication is failing with
>
> psql: FATAL:  no pg_hba.conf entry for host "XXX.XX.XXX.XXX", user "Tom",
> database "Tom", SSL off

Unfortunately, you haven't provided what the specific IP addresses are,
but it looks like perhaps they don't match...?  Note that when you
specify a '/32', the IP address in the pg_hba.conf must match EXACTLY
the IP address that the connection attempt is coming from.

All that said, you mention that you're using Active Directory, which
itself actually uses Kerberos for authentication- not LDAP, and
PostgreSQL directly supports Kerberos authentication through GSSAPI.  I
strongly encourage you to look into use GSSAPI instead, it's much more
secure than using LDAP-based auth and avoids the user's password being
sent to the PostgreSQL server (where it could be compromised if the PG
process is compromised).

Thanks,

Stephen