Re: BUG #9818: LDAP Authentication subtree problem
| От | Sáreník Ján |
|---|---|
| Тема | Re: BUG #9818: LDAP Authentication subtree problem |
| Дата | |
| Msg-id | 843D3E17DE797541BAB4BF8053430A0576E079@CZ99PMBX01.CZGLI.LOCAL обсуждение исходный текст |
| Ответ на | Re: BUG #9818: LDAP Authentication subtree problem (Magnus Hagander <magnus@hagander.net>) |
| Ответы |
Re: BUG #9818: LDAP Authentication subtree problem
|
| Список | pgsql-bugs |
Hello Magnus! On Tue, Apr 18, 2014 at 3:51 PM, Magnus Hagander wrote: > That page is about about the ModifyObject() function, which we're > definitely not calling. And it's under the section about DFS replication > helper protocol. So either you posted the wrong URL, or you have > misdiagnosed it. Yes, I might have misdiagnosed it, but it was the closest match possible. > Do you get anythign in the AD controller logs at this time? Or if > you can get a packet trace, does it show something clear about what's > actually going wrong? No, as AD is managed by another part of the company and there are no issues using Apache2 or ldapsearch against it, so I do not assume the problem resides on that side. > I wonder if it might be related to the use of an LDAP url, that somehow > gets the subtree search wrong. Can you check to see if it works if > you specify the individual parts without using an url, e.g. > > local all all ldap > ldapserver=aa00aaa001.aaaa.corp.local > ldapbasedn=DC=aaaa,DC=corp,DC=local ldapsearchattribute=sAMAccountName > ldapbinddn="CN=svcLDAPDWH,OU=Services,OU=UsersAdm,DC=aaaa,DC=corp,DC=local" > ldapbindpasswd="XXXXXX" > > For ldap auth not using the url syntax, subtree search is always used. I tried this on today's unpatched PostgreSQL (8d34f6862) and it does not work. It gives me the same error like when I use ldapurl in pg_hba.conf. Just note that I had to quote ldapbasedn's parameter - otherwise the database server wouldn't start. As for the packets: 1. bindRequest(1) "CN=svcLDAPDWH,OU=Services,OU=UsersAdm,..." 2. bindResponse(1) success 3. searchRequest(2) "DC=aaaa,DC=corp,DC=local" wholeSubtree 4. searchResEntry(2) "CN=T912348,OU=UsersW7,DC=gpcz,DC=corp,DC=local" | searchResRef(2) | searchResDone(2) success [1result] ---------------------------------------------------- Then the two (patched and unpatched) start to diverge: Patched: ---------------------------------------------------- 5. unbindRequest(6) 6. bindRequest(1) "CN=user,OU=subgroup,..." simple 7. bindResponse(1) success 8. unbindRequest(2) Unpatched: ---------------------------------------------------- 5. bindRequest(4) "<ROOT>" simple 6. bindResponse(4) success 7. searchRequest(3) "DC=DomainDnsZones,DC=aaaa,..." wholeSubTree 8. searchResDone(3) operationsError (000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successfulbind must be completed on the connection., data 0, v1db1) [0 results] 9. unbindRequest(5) Thanks for feed-back! Best regards, Jasan
В списке pgsql-bugs по дате отправления: