Обсуждение: Secure LDAP auth on windows machine inside domain
I'm looking for some help with setting up LDAP-Auth. Scenaria is: - Computer in Windows Domain runs postgreSQL - The AD-DC is using a self-signed certificate - That cert is already imported to trusted root cert store on that computer - LDAP auth without encryption does work fine ( ldap ldapserver=???.???.???.de ldaptls=0 ldapbasedn="CN=Users,DC=???,DC=???,DC=???" ldapbinddn="CN=prodatbind,CN=Users,DC=???,DC=???,DC=???" ldapbindpasswd="???" ldapsearchattribute="sAMAccountName" ) - i'm trying to logon as prodatadmin (prodatbind account is just for the ldap-bind) - Now either tls or ldaps needs to be activated If i change to tls=1 i get the errormessage: 2021-05-21 13:38:35.639 CEST [968] LOG: could not start LDAP TLS session: Lokaler Fehler 2021-05-21 13:38:35.639 CEST [968] DETAIL: LDAP diagnostics: Lokaler Fehler 2021-05-21 13:38:35.640 CEST [968] FATAL: LDAP authentication failed for user "prodatadmin" Lokaler Fehler -> local error if i change to ldaps i get the errormessage: 2021-05-21 13:41:34.759 CEST [13412] LOG: could not perform initial LDAP bind for ldapbinddn "CN=prodatbind,CN=Users,DC=???,DC=???,DC=???" on server "???.???.???.???": Server heruntergefahren 2021-05-21 13:41:34.759 CEST [13412] DETAIL: LDAP diagnostics: Server heruntergefahren 2021-05-21 13:41:34.760 CEST [13412] FATAL: LDAP authentication failed for user "prodatadmin" Server heruntergefahren -> Server is down with ldapadmin (ldapadmin.org) i can connect with ssl or tls. I just get a warning about the certificate. So what do i need to do, to get postgrSQL LDAP to accept that certificate? Thx
Am 21.05.21 um 14:02 schrieb Rocco Kreutz: > I'm looking for some help with setting up LDAP-Auth. > > Scenaria is: > - Computer in Windows Domain runs postgreSQL > - The AD-DC is using a self-signed certificate > - That cert is already imported to trusted root cert store on that > computer > - LDAP auth without encryption does work fine > ( > ldap ldapserver=???.???.???.de ldaptls=0 > ldapbasedn="CN=Users,DC=???,DC=???,DC=???" > ldapbinddn="CN=prodatbind,CN=Users,DC=???,DC=???,DC=???" > ldapbindpasswd="???" ldapsearchattribute="sAMAccountName" > ) > - i'm trying to logon as prodatadmin (prodatbind account is just for > the ldap-bind) > - Now either tls or ldaps needs to be activated > > > > If i change to tls=1 i get the errormessage: > > 2021-05-21 13:38:35.639 CEST [968] LOG: could not start LDAP TLS > session: Lokaler Fehler > 2021-05-21 13:38:35.639 CEST [968] DETAIL: LDAP diagnostics: Lokaler > Fehler > 2021-05-21 13:38:35.640 CEST [968] FATAL: LDAP authentication failed > for user "prodatadmin" > > Lokaler Fehler -> local error > > > if i change to ldaps i get the errormessage: > > 2021-05-21 13:41:34.759 CEST [13412] LOG: could not perform initial > LDAP bind for ldapbinddn "CN=prodatbind,CN=Users,DC=???,DC=???,DC=???" > on server "???.???.???.???": Server heruntergefahren > 2021-05-21 13:41:34.759 CEST [13412] DETAIL: LDAP diagnostics: Server > heruntergefahren > 2021-05-21 13:41:34.760 CEST [13412] FATAL: LDAP authentication > failed for user "prodatadmin" > > Server heruntergefahren -> Server is down > > > with ldapadmin (ldapadmin.org) i can connect with ssl or tls. I just > get a warning about the certificate. > So what do i need to do, to get postgrSQL LDAP to accept that > certificate? > > Thx > > > If both your clients and server are running on Windows, the best > authentication method is SSPI. > -- Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012
Вложения
It must be LDAP, because the users need to use a shortened diffrent login, which is stored in ad >> If both your clients and server are running on Windows, the best >> authentication method is SSPI. >>
Greetings, * Rocco Kreutz (r.kreutz@prodat-sql.de) wrote: > It must be LDAP, because the users need to use a shortened diffrent login, > which is stored in ad You can map users using pg_ident.conf, there's no need to use LDAP to have a different login name in the database, and it's not secure to use LDAP. When LDAP is used, the user's credentials are seen by the server in the clear (and there's not really anything you can do about that, it's the nature of that auth method) and therefore if the DB server is compromised then everyone's credentials who logs into the DB server will also be compromised (TLS/SSL doesn't help because that only protects traffic across the network). Thanks, Stephen
Вложения
Cos im getting more and more reply's, without any help concerning my actual question. GSSAPI/SSPI is NOT an option. Creating keytab files, merging them, adjusting postgreSQL config files and then restarting db-server is not an option. thx
Hi Rocco,
For Postgres server to ldap (AD), it looks like ldaptls was added to documentation for v10 (see
Using Active Directory for Authentication can be done (check archives of this list it's, been covered). Honestly outside of what has already been covered in other posts, I don't think I have much to add. Most of what you need to do is external to Postgres (such as determining your ldap search criteria and verifying connection details). Once you have all of that, updating the pg_hba.conf file is straight forward.
Best regards,
Dan Smith
On Tue, May 25, 2021, 00:20 Rocco Kreutz <r.kreutz@prodat-sql.de> wrote:
Cos im getting more and more reply's, without any help concerning my
actual question.
GSSAPI/SSPI is NOT an option. Creating keytab files, merging them,
adjusting postgreSQL config files and then restarting db-server is not
an option.
thx