Closed dpage closed 1 year ago
Comment migrated from Redmine: https://redmine.postgresql.org/issues/5573#note-1 Originally created by Khushboo Vashi at 2020-06-01 04:22:39 UTC.
Hi,
You have set LDAP_USERNAME_ATTRIBUTE = "uid". Does your DN contain "uid" attribute ? As per you search query, LDAP_USERNAME_ATTRIBUTE should be "cn" (LDAP_USERNAME_ATTRIBUTE = "cn" ). For secure LDAP, please set LDAP_CA_CERT_FILE parameter, which is missing in your configuration.
For more details, please refer https://www.pgadmin.org/docs/pgadmin4/4.22/enabling_ldap_authentication.html
Thanks, Khushboo
Redmine ticket header update:
Name | Old Value | New Value |
---|---|---|
Assigned To changed | Alessandro De Maria |
Comment migrated from Redmine: https://redmine.postgresql.org/issues/5573#note-2 Originally created by Alessandro De Maria at 2020-06-01 05:52:38 UTC.
Khushboo Vashi wrote:
Hi,
You have set LDAP_USERNAME_ATTRIBUTE = "uid". Does your DN contain "uid" attribute ? As per you search query, LDAP_USERNAME_ATTRIBUTE should be "cn" (LDAP_USERNAME_ATTRIBUTE = "cn" ).
Yes it does have it. I also changed it from cn
to uid
and back with no improvement.
For secure LDAP, please set LDAP_CA_CERT_FILE parameter, which is missing in your configuration.
I have made multiple experiments, I tried setting it to /etc/ssl/cert.pem
or leave empty.
The "Error binding to the LDAP server" seems to be past the connection phase, so I don't think this is the issue in my case. As validation, I tried setting LDAP_CA_CERT_FILE to an incorrect file (/opt/secrets/cert.pem) and this time ti fails with
Error connecting to LDAP server: unable to open socket
IMO proofing that the SSL connectivity itself is fine, and the error is happening past that point.
For more details, please refer https://www.pgadmin.org/docs/pgadmin4/4.22/enabling_ldap_authentication.html
I'm afraid I've read it over and over again but I cannot find any issue with my setup.
Comment migrated from Redmine: https://redmine.postgresql.org/issues/5573#note-3 Originally created by Khushboo Vashi at 2020-06-01 08:26:31 UTC.
Hi,
As per your search query (LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXXX,dc=com '(cn=a.demaria)') , you have performed LDAP Anonymous bind (connect and search the directory without logging in), which is not supported in pgAdmin.
Have you tried to bind the LDAP server with User DN and password from your mac?
Thanks, Khushboo
Comment migrated from Redmine: https://redmine.postgresql.org/issues/5573#note-4 Originally created by Alessandro De Maria at 2020-06-01 08:53:37 UTC.
Khushboo Vashi wrote:
Hi,
As per your search query (LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXXX,dc=com '(cn=a.demaria)') , you have performed LDAP Anonymous bind (connect and search the directory without logging in), which is not supported in pgAdmin.
Have you tried to bind the LDAP server with User DN and password from your mac?
I hadn't tried! Thanks! Yes it helped me debug the situation.
This is the correct setup:
AUTHENTICATION_SOURCES = ['ldap']
LDAP_AUTO_CREATE_USER = True
LDAP_CONNECTION_TIMEOUT = 20
LDAP_SERVER_URI = "ldap://ldap.google.com:389"
LDAP_BASE_DN = "ou=Users,dc=XXXXXX,dc=com". # ou=Users was missing
LDAP_USERNAME_ATTRIBUTE = "uid" # "cn" doesn't work
LDAP_USE_STARTTLS = true
LDAP_CERT_FILE = "/opt/secrets/cert.pem"
LDAP_KEY_FILE = "/opt/secrets/cert.key"
Thank you resolved.
For posterity, on mac:
LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -D "uid=a.demaria,ou=Users,dc=XXXXXX,dc=com" -x -W -b dc=XXXXXX,dc=com '(cn=a.demaria)'
Thanks, Khushboo
Comment migrated from Redmine: https://redmine.postgresql.org/issues/5573#note-5 Originally created by Khushboo Vashi at 2020-06-01 09:04:48 UTC.
Good to hear it worked! Closing the ticket.
Redmine ticket header update:
Name | Old Value | New Value |
---|---|---|
Status changed | New | Resolved |
Tracker changed | Bug | Support |
Issue closed on Redmine.
Issue migrated from Redmine: https://redmine.postgresql.org/issues/5573 Originally created by Alessandro De Maria at 2020-05-31 20:11:36 UTC.
Hi,
I am trying to connect to GSuite Secure LDAP (https://support.google.com/a/answer/9089736?hl=en)
I have setup the following in the config_local.py
I have also tried with
If I run the search from mac after importing the certificates, it works:
I have tried logging in both with a.demaria and a.demaria@XXXXXX.com
The error I get is:
I have also tried logging in both with my account (which has 2FA enabled) and another account that does not have it
Could you help me understand why it is not working?