Re: Secure LDAP auth on windows machine inside domain

Am 21.05.21 um 14:02 schrieb Rocco Kreutz:
> I'm looking for some help with setting up LDAP-Auth.
>
> Scenaria is:
> - Computer in Windows Domain runs postgreSQL
> - The AD-DC is using a self-signed certificate
> - That cert is already imported to trusted root cert store on that
> computer
> - LDAP auth without encryption does work fine
>   (
>   ldap ldapserver=???.???.???.de ldaptls=0
> ldapbasedn="CN=Users,DC=???,DC=???,DC=???"
> ldapbinddn="CN=prodatbind,CN=Users,DC=???,DC=???,DC=???"
> ldapbindpasswd="???" ldapsearchattribute="sAMAccountName"
>   )
> - i'm trying to logon as prodatadmin (prodatbind account is just for
> the ldap-bind)
> - Now either tls or ldaps needs to be activated
>
>
>
> If i change to tls=1 i get the errormessage:
>
> 2021-05-21 13:38:35.639 CEST [968] LOG:  could not start LDAP TLS
> session: Lokaler Fehler
> 2021-05-21 13:38:35.639 CEST [968] DETAIL:  LDAP diagnostics: Lokaler
> Fehler
> 2021-05-21 13:38:35.640 CEST [968] FATAL:  LDAP authentication failed
> for user "prodatadmin"
>
> Lokaler Fehler -> local error
>
>
> if i change to ldaps i get the errormessage:
>
> 2021-05-21 13:41:34.759 CEST [13412] LOG:  could not perform initial
> LDAP bind for ldapbinddn "CN=prodatbind,CN=Users,DC=???,DC=???,DC=???"
> on server "???.???.???.???": Server heruntergefahren
> 2021-05-21 13:41:34.759 CEST [13412] DETAIL:  LDAP diagnostics: Server
> heruntergefahren
> 2021-05-21 13:41:34.760 CEST [13412] FATAL:  LDAP authentication
> failed for user "prodatadmin"
>
> Server heruntergefahren -> Server is down
>
>
> with ldapadmin (ldapadmin.org) i can connect with ssl or tls. I just
> get a warning about the certificate.
> So what do i need to do, to get postgrSQL LDAP to accept that
> certificate?
>
> Thx
>
>
> If both your clients and server are running on Windows, the best
> authentication method is SSPI.
>
--
Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012