Authenticate Postgresql client agains backend ldap

We have a Postgresql server open to many different people at our organization. In order to add a ldap authentication you can add these 3 lines to your current pg_hba.conf file:

host all username    127.0.0.1/32       ldap ldapserver="ourserver.uib.no" ldapbasedn="ou=people,dc=uib,dc=no"
host all username    129.177.XXX.YYY/32 ldap ldapserver="ourserver.uib.no" ldapbasedn="ou=people,dc=uib,dc=no"
local all username                      ldap ldapserver="ourserver.uib.no" ldapbasedn="ou=people,dc=uib,dc=no"

where the first one will allow users that access the server from localhost (either from a shell or 127.0.0.1 connections). The second line is allowing a computer from the following IP adresse: 129.177.XXX.YYY.

Finally the last line will use ldap backend for local connections. That means a Linux user that logged in with SSH, will still be validated agains the ldap server, regardless of local password.

Remember this is only authentication, so you have to add the username to Postgresql database anyway (hint: use createuser command).

If you want to allow a user to connect remotely over web, remember to use SSL in the webserver, HTTPS, so that the password is not transmittet un-encrypted.

Note also:  This is also only LDAP, not LDAPS connections. So data going from the Postgresql server to the ldap is not encrypted. In short: Keep the distance between the postgresql server and the LDAP server short, or try to implement LDAPS, which I did, where I failed, so far…

Leave a Reply

Your email address will not be published.