LDAP authentication

Eugenia Kuzina

Overview of LDAP authentication

You can use LDAP authentication to access an ADPG cluster. This authentication method operates similarly to Password authentication, except that it uses LDAP as the password verification method. To validate the user name/password pairs, ADPG connects to an LDAP server, such as Active Directory or 389 Directory Server. Note that the user must already exist in the PostgreSQL database before LDAP can be used for authentication.

LDAP authentication can operate in two modes:

The tables below list configuration options grouped by bind modes. All these options should be specified in the auth-options field of PG_HBA. See: Configure ADPG to use LDAP.

Parameters used in both modes
Parameter name Description

ldapserver

Names or IP addresses of LDAP servers to connect to. You can specify multiple servers separated by spaces

ldapport

Port number on LDAP server to connect to. If the port is not specified, the LDAP library’s default port setting will be used (389)

ldapscheme

Set this parameter to ldaps to use LDAPS (LDAP over TLS/SSL) supported by some LDAP server implementations. See the ldaptls parameter for an alternative

ldaptls

Set the ldaptls value to 1 to make the connection between ADPG/PostgreSQL and the LDAP server use TLS encryption. This approach utilizes the StartTLS operation described in RFC 4513

The ldapscheme and ldaptls settings encrypt only the traffic between the ADPG/PostgreSQL and LDAP servers. The connection between the ADPG/PostgreSQL server and ADPG/PostgreSQL client is unencrypted.

Simple bind mode

In simple bind mode, the server binds to the distinguished name constructed as prefix + user name + suffix. Typically, the prefix is used to specify cn= or DOMAIN\ in an Active Directory environment. The suffix is used to specify the remaining part of DN.

Parameters used in simple bind mode
Parameter name Description

ldapprefix

Specifies a string that is prepended to the user name when forming the bind DN for authentication

ldapsuffix

Specifies a string that is appended to the user name when forming the bind DN for authentication

In this mode, the ADPG/PostgreSQL server binds to the LDAP directory with a fixed user name and password, specified with the ldapbinddn and ldapbindpasswd parameters, and performs a search for a user. If no user name and password are configured, an anonymous bind will be attempted. The search is performed on the ldapbasedn subtree, checking for an exact match between the user name and ldapsearchattribute values. Once the search finds a user, the server disconnects and reconnects to the LDAP directory as that user, with the password supplied by the client, to ensure that the account is correct.

Parameters used in search + bind mode
Parameter name Description

ldapbasedn

Root DN to begin the search for a user

ldapbinddn

User’s DN to bind to the directory to perform the search

ldapbindpasswd

User’s password to bind to the directory to perform the search

ldapsearchattribute

Attribute to match against the user name during search + bind authentication. If not specified, the uid attribute will be used

ldapsearchfilter

The search filter that is used when doing search+bind authentication. $username in the filter will be replaced with the user name. This option implements more flexible search filters than ldapsearchattribute. For example, ldapsearchfilter="(|(uid=$username)(mail=$username))"

ldapurl

Specifies RFC 4516 LDAP URL: ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]].

scope is used to specify the scope of the search. The allowed values are:

  • base — a base object search;

  • one — a one-level search;

  • sub — a subtree search.

Set up a FreeIPA server

This section contains instructions on how to set up and configure a FreeIPA server that is used in the examples below.

Perform the following steps to install a FreeIPA server on a host with the CentOS or RHEL operating system.

  1. Install the FreeIPA server:

    $ sudo yum install ipa-server

  2. The examples below use host names in LDAP authentication settings. If your network does not include a DNS service to resolve host names, you can execute the command below to add host names and their IP addresses to the hosts file:

    $ sudo tee -a /etc/hosts > /dev/null <<EOT
> 10.92.42.229 adpg.example.com adpg-host
> 10.92.43.11 ipa.example.com ipa-host
> EOT

    Where:

    • 10.92.42.229 — IP address of the host with ADPG;

    • 10.92.43.11 — IP address of the host with the FreeIPA server.

  3. Configure the FreeIPA server:

    $ sudo ipa-server-install \
   --unattended \
   --hostname=ipa.example.com \
   --domain=example.com \
   --realm=EXAMPLE.COM \
   --ds-password=pass2345 \
   --admin-password=pass1234

  4. Use the ipactl status command to check the status of services:

    $ sudo ipactl status

    The output should show that the Directory, krb5kdc, and kadmin services are running:

    Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

  5. Authenticate as the admin user that is created automatically to perform administrative activities. To do this, run the kinit command:

    $ kinit admin

    When the following prompt is shown, enter the password specified in the admin-password option of the FreeIPA server configuration (in this example, pass1234):

    Password for admin@EXAMPLE.COM:

  6. Use the ipa user add command to create a regular FreeIPA user:

    $ ipa user-add john \
 --first=John \
 --last=Smith \
 --password

    Enter a new user’s password twice:

    Password:
Enter Password again to verify:

    Result:

    -----------------
Added user "john"
-----------------
  User login: john
  First name: John
  Last name: Smith
  Full name: John Smith
  Display name: John Smith
  Initials: JS
  Home directory: /home/john
  GECOS: John Smith
  Login shell: /bin/sh
  Principal name: john@EXAMPLE.COM
  Principal alias: john@EXAMPLE.COM
  User password expiration: 20250317133100Z
  Email address: john@example.com
  UID: 1414400003
  GID: 1414400003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Configure ADPG to use LDAP

If your network does not include a DNS service to resolve host names, execute the command below on the ADPG/PostgreSQL host to add host names and their IP addresses to the hosts file:

$ sudo tee -a /etc/hosts > /dev/null <<EOT
> 10.92.42.229 adpg.example.com adpg-host
> 10.92.43.11 ipa.example.com ipa-host
> EOT

Where:

  • 10.92.42.229 — IP address of the host with ADPG;

  • 10.92.43.11 — IP address of the host with the FreeIPA server.

As mentioned above, a user must already exist in the database before LDAP can be used for authentication.

Create a role for LDAP users to utilize it in a record of pg_hba.config format:

CREATE ROLE ldap_users LOGIN;

Create a role for a specific user in the ldap_users group. Note that an ADPG user name should match an LDAP user name.

CREATE ROLE john IN GROUP ldap_users;

To configure connection options, open the Clusters page, select an ADPG cluster, and switch to the Services tab. Select the ADPG service and click the PG_HBA field on the Primary configuration tab in the Configuration tree. Add a new record in the format of the pg_hba.config file. The following record uses the simple binding mode to connect to the FreeIPA server:

  host      all          +ldap_users     0.0.0.0/0     ldap            ldapserver=ipa.example.com ldapprefix="uid=" ldapsuffix=",cn=users,cn=accounts,dc=example,dc=com"

Test the connection using the psql tool:

$ psql postgres -U john -h 10.92.42.229

When the following prompt is shown, enter the password specified for the john LDAP user:

Password for user john:

Examples

Since LDAP often uses commas and spaces to separate the different parts of DN, it is often necessary to use double-quoted parameter values when configuring LDAP options, as shown in the examples below.

FreeIPA server

The configuration below uses the search + bind mode. Since ldapbinddn is not specified, ADPG attempts to bind anonymously to the LDAP server and perform a search for a user in the specified base DN (the ldapbasedn parameter):

host    all     +ldap_users     0.0.0.0/0       ldap        ldapserver=ipa.example.com ldapbasedn="cn=users,cn=accounts,dc=example,dc=com"

An example of the same configuration for search + bind mode but written as a URL (the ldapurl attribute):

host    all     +ldap_users     0.0.0.0/0       ldap ldapurl="ldap://ipa.example.com/cn=users,cn=accounts,dc=example,dc=com?uid?sub"

Methods that use anonymous binding are not secure. It is better to specify the ldapbinddn and ldapbindpasswd options to perform the search as an authorized user:

host      all          +ldap_users     0.0.0.0/0     ldap         ldapserver=ipa.example.com ldapbasedn="cn=users,cn=accounts,dc=example,dc=com" ldapbinddn="uid=admin,cn=users,cn=accounts,dc=example,dc=com" ldapbindpasswd="pass1234"

MS Active Directory

The code below shows how to configure LDAP authentication in search + bind mode for Microsoft Active Directory:

host    all     +ldap_users     0.0.0.0/0       ldap        ldapserver=ad01.example.io ldapbasedn="OU=Peoples,DC=ad,DC=ranger-test" ldapbinddn="cn=admin,dc=ad,dc=ranger-test" ldapbindpasswd="bind_pass123" ldapsearchattribute="sAMAccountName"
Active Directory configuration used in the example

url

ldap://ad01.example.io:389

binddn

cn=admin,dc=ad,dc=ranger-test

bind password

bind_pass123

user nameattribute

sAMAccountName

searchBase

ou=Peoples,dc=ad,dc=ranger-test

group searchbase

ou=Groups,dc=ad,dc=ranger-test

user searchBase

ou=Peoples,dc=ad,dc=ranger-test
Found a mistake? Seleсt text and press Ctrl+Enter to report it