Unable to connect to GSuite Secure LDAP (RM #5573)

[dpage]

Issue migrated from Redmine: https://redmine.postgresql.org/issues/5573 Originally created by Alessandro De Maria at 2020-05-31 20:11:36 UTC.

Hi,

I am trying to connect to GSuite Secure LDAP (https://support.google.com/a/answer/9089736?hl=en)

I have setup the following in the config_local.py

AUTHENTICATION_SOURCES = ['ldap']
LDAP_AUTO_CREATE_USER = True
LDAP_CONNECTION_TIMEOUT = 20
LDAP_SERVER_URI = "ldaps://ldap.google.com:636"
LDAP_BASE_DN = "dc=XXXXXX,dc=com"
LDAP_USERNAME_ATTRIBUTE = "uid"

LDAP_CERT_FILE = "/opt/secrets/cert.pem"
LDAP_KEY_FILE = "/opt/secrets/cert.key"

I have also tried with

AUTHENTICATION_SOURCES = ['ldap']
LDAP_AUTO_CREATE_USER = True
LDAP_CONNECTION_TIMEOUT = 20
LDAP_SERVER_URI = "ldap://ldap.google.com:389"
LDAP_BASE_DN = "dc=XXXXXX,dc=com"

LDAP_USERNAME_ATTRIBUTE = "uid"
LDAP_USE_STARTTLS = true
LDAP_CERT_FILE = "/opt/secrets/cert.pem"
LDAP_KEY_FILE = "/opt/secrets/cert.key"

If I run the search from mac after importing the certificates, it works:

LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXXX,dc=c
om '(cn=a.demaria)' 

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1                         

I have tried logging in both with a.demaria and a.demaria@XXXXXX.com

The error I get is:

2020-05-31 18:56:08,814: ERROR  flask.app:      Error binding to the LDAP server.
Traceback (most recent call last):
  File "/pgadmin4/pgadmin/authenticate/ldap.py", line 108, in connect
    self.conn = Connection(server,
  File "/usr/local/lib/python3.8/site-packages/ldap3/core/connection.py", line 355, in __init__
    self.do_auto_bind()
  File "/usr/local/lib/python3.8/site-packages/ldap3/core/connection.py", line 384, in do_auto_bind
    raise LDAPBindError(self.last_error)
ldap3.core.exceptions.LDAPBindError: None

I have also tried logging in both with my account (which has 2FA enabled) and another account that does not have it

Could you help me understand why it is not working?

[dpage]

Comment migrated from Redmine: https://redmine.postgresql.org/issues/5573#note-1 Originally created by Khushboo Vashi at 2020-06-01 04:22:39 UTC.

Hi,

You have set LDAP_USERNAME_ATTRIBUTE = "uid". Does your DN contain "uid" attribute ? As per you search query, LDAP_USERNAME_ATTRIBUTE should be "cn" (LDAP_USERNAME_ATTRIBUTE = "cn" ). For secure LDAP, please set LDAP_CA_CERT_FILE parameter, which is missing in your configuration.

For more details, please refer https://www.pgadmin.org/docs/pgadmin4/4.22/enabling_ldap_authentication.html

Thanks, Khushboo

Redmine ticket header update:

Name	Old Value	New Value
Assigned To changed		Alessandro De Maria

[dpage]

Comment migrated from Redmine: https://redmine.postgresql.org/issues/5573#note-2 Originally created by Alessandro De Maria at 2020-06-01 05:52:38 UTC.

Khushboo Vashi wrote:

Hi,

You have set LDAP_USERNAME_ATTRIBUTE = "uid". Does your DN contain "uid" attribute ? As per you search query, LDAP_USERNAME_ATTRIBUTE should be "cn" (LDAP_USERNAME_ATTRIBUTE = "cn" ).

Yes it does have it. I also changed it from cn to uid and back with no improvement.

For secure LDAP, please set LDAP_CA_CERT_FILE parameter, which is missing in your configuration.

I have made multiple experiments, I tried setting it to /etc/ssl/cert.pem or leave empty. The "Error binding to the LDAP server" seems to be past the connection phase, so I don't think this is the issue in my case. As validation, I tried setting LDAP_CA_CERT_FILE to an incorrect file (/opt/secrets/cert.pem) and this time ti fails with

Error connecting to LDAP server: unable to open socket

IMO proofing that the SSL connectivity itself is fine, and the error is happening past that point.

For more details, please refer https://www.pgadmin.org/docs/pgadmin4/4.22/enabling_ldap_authentication.html

I'm afraid I've read it over and over again but I cannot find any issue with my setup.

[dpage]

Comment migrated from Redmine: https://redmine.postgresql.org/issues/5573#note-3 Originally created by Khushboo Vashi at 2020-06-01 08:26:31 UTC.

Hi,

As per your search query (LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXXX,dc=com '(cn=a.demaria)') , you have performed LDAP Anonymous bind (connect and search the directory without logging in), which is not supported in pgAdmin.

Have you tried to bind the LDAP server with User DN and password from your mac?

Thanks, Khushboo

[dpage]

Comment migrated from Redmine: https://redmine.postgresql.org/issues/5573#note-4 Originally created by Alessandro De Maria at 2020-06-01 08:53:37 UTC.

Khushboo Vashi wrote:

Hi,

As per your search query (LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXXX,dc=com '(cn=a.demaria)') , you have performed LDAP Anonymous bind (connect and search the directory without logging in), which is not supported in pgAdmin.

Have you tried to bind the LDAP server with User DN and password from your mac?

I hadn't tried! Thanks! Yes it helped me debug the situation.

This is the correct setup:

AUTHENTICATION_SOURCES = ['ldap']
LDAP_AUTO_CREATE_USER = True
LDAP_CONNECTION_TIMEOUT = 20
LDAP_SERVER_URI = "ldap://ldap.google.com:389" 
LDAP_BASE_DN = "ou=Users,dc=XXXXXX,dc=com". # ou=Users was missing 

LDAP_USERNAME_ATTRIBUTE = "uid"   # "cn" doesn't work
LDAP_USE_STARTTLS = true
LDAP_CERT_FILE = "/opt/secrets/cert.pem" 
LDAP_KEY_FILE = "/opt/secrets/cert.key" 

Thank you resolved.

For posterity, on mac:

LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -D "uid=a.demaria,ou=Users,dc=XXXXXX,dc=com" -x -W -b dc=XXXXXX,dc=com '(cn=a.demaria)'

Thanks, Khushboo

[dpage]

Comment migrated from Redmine: https://redmine.postgresql.org/issues/5573#note-5 Originally created by Khushboo Vashi at 2020-06-01 09:04:48 UTC.

Good to hear it worked! Closing the ticket.

Redmine ticket header update:

Name	Old Value	New Value
Status changed	New	Resolved
Tracker changed	Bug	Support

[dpage]

Issue closed on Redmine.