adam-cayuse
commented
1 year ago Logs from postgres show that the user has no password assigned
Open adam-cayuse opened 1 year ago
adam-cayuse
commented
1 year ago Logs from postgres show that the user has no password assigned
larskanis
commented
1 year ago You must configure the authentication methods of the server in the pg_hba.conf file. pg_ldap_sync is often combined with kerberos/GSSAPI or certificate authentication to avoid passwords at all, but it should equally work with LDAP authentication. You then have two connections to the LDAP server. One from pg_ldap_sync to retrieve the groups and users and one from the PostgreSQL server to verify the password.
adam-cayuse
commented
1 year ago Thank you for that info. My use case is for Postgres in AWS RDS. I don't have access to a pg_hba.conf file, but the RDS is joined to a domain. Are there any working examples of this setup with AWS RDS?
adam-cayuse
commented
1 year ago The other thing I'm seeing, is when it adds a group, it does not add the group members.
I, [2023-04-20T14:48:33.460367 #81999] INFO -- : found pg-group: "DB_ADMIN" with members: [] I, [2023-04-20T14:48:33.461510 #81999] INFO -- : found pg-group: "PROD_DB_RO" with members: [] I, [2023-04-20T14:48:33.462634 #81999] INFO -- : found pg-group: "PROD_DB_RW" with members: []
kostiapl
commented
1 year ago LDAP authentication is not supported by RDS, so the one way I see to solve this is to try to assign the same password as in AD to the local RDS user.
Initial setup. Under ldap_users I have it filtered to 1 user. The user is created in postgres, but I can not login using my LDAP password. Under ldap_groups, the group is added, but not its members (the members are nested groups). ldapsearch with the same filter shows the group members.