Re: [ADMIN] LDAP authentication fails with more than one entryreturned - Mailing list pgsql-admin

As far as I understand you need to give the fully qualified DN to a user if you do simple binding. But in the pg_hba.conf I can only define a prefix that doesn’t change: “uid=”.

 

But because all the users come from different trees the suffix depends on the sub-tree where the user has been added to. This part of the DN can’t be configured statically in the pg_hba.conf.

 

Look at the DN for my example users in my play-instance of openLDAP:

 

uid=mhaertel,cn=ftth,ou=Teams,dc=organization_gismobile,dc=ldap_db1,dc=mydomain,dc=com

 

The part “cn=ftth,ou=Teams,dc=organization_gismobile” only is valid for a small subset of users and therefore I can’t define a full DN for the binding.

Alright I see. Which raises the following question : When two entries with the same uid are found in different trees, then what are the semantics behind? Are those two users represented by those DNs supposed to be the same of different users?
IMHO its not good practice to have the same uid representing different physical persons. If the physical users are different then you may simply change their uids to be unique across the whole tree, regardless of subtree.
However, if the same uid is found in multiple subtrees and is indeed the same user then maybe some arrangement must be done in the LDAP server to somehow present one view of all users under a common dedicated base. In which case you'll prefer the simple bind mode again.

 

Regards,

 

Michael

 

Von: pgsql-admin-owner@postgresql.org [mailto:pgsql-admin-owner@postgresql.org] Im Auftrag von Achilleas Mantzios
Gesendet: Donnerstag, 17. August 2017 16:40
An: pgsql-admin@postgresql.org
Betreff: Re: [ADMIN] LDAP authentication failes with more than one entry returned

 

On 17/08/2017 16:58, Michael.Haertel@t-systems.com wrote:

Hello list,

 

I configured postgreSQL to only allow users that are administered in LDAP to connect to one particular database on my PostgreSQL host. This works fine as long as only one entry is returned for the combination of “ldapbasedn” and “ldapsearchattribute”.

Why don't you go the simple bind mode route? Just specify ldapprefix, ldapsuffix to construct your bind DN, this should by definition be unique.

 

I currently match the LDAP attribute UID against the login name. Problem is that the users exist several times in the specified (sub-) directory tree. Everything works if the user only exists once within the specified “ldapbasedn”.

 

How to deal with that problem?

 

I think it is common practice to have several sub-trees, one per organizational unit for example. Within that OU there are several sub-trees that define privileges for SAMBA shares, database connections or other purposes. Because I need to search for the users across several OUs, I can’t give the path to only one sub-tree.

 

I am currently on windows so I can’t test the ldapurl feature.

 

Would it be possible to use the ldapurl directive to allow an ldapsearch across different 1^st level trees but only look for users within one particular sub-tree in each of the 1^st level trees?

 

Thank you very much for your comments,

 

Michael Härtel

 

-- 

Achilleas Mantzios

IT DEV Lead

IT DEPT

Dynacom Tankers Mgmt

-- 
Achilleas Mantzios
IT DEV Lead
IT DEPT
Dynacom Tankers Mgmt