Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1t21PU-001VZ9-I8
	for pgsql-admin@arkaria.postgresql.org; Sat, 19 Oct 2024 04:49:52 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1t21PR-00FABq-Q6
	for pgsql-admin@arkaria.postgresql.org; Sat, 19 Oct 2024 04:49:50 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <a.mantzios@cloud.gatewaynet.com>)
	id 1t21PR-00FA8i-Ci
	for pgsql-admin@lists.postgresql.org; Sat, 19 Oct 2024 04:49:49 +0000
Received: from cloud.gatewaynet.com ([185.90.37.94])
	by magus.postgresql.org with esmtps  (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <a.mantzios@cloud.gatewaynet.com>)
	id 1t21PO-001qm8-Pu
	for pgsql-admin@lists.postgresql.org; Sat, 19 Oct 2024 04:49:49 +0000
Content-Type: multipart/alternative;
 boundary="------------M0KVXJAuYYxdx4XNJ9VeAirc"
Message-ID: <cf3917de-2136-4237-924a-0f0b66e3587b@cloud.gatewaynet.com>
Date: Sat, 19 Oct 2024 07:49:44 +0300
MIME-Version: 1.0
Subject: Re: LDAP authentication problem
To: pgsql-admin@lists.postgresql.org
References: <c3560ede2a4c4892abf29448e7e07755@izum.si>
Content-Language: en-US
From: Achilleas Mantzios <a.mantzios@cloud.gatewaynet.com>
In-Reply-To: <c3560ede2a4c4892abf29448e7e07755@izum.si>
List-Id: <pgsql-admin.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-admin@lists.postgresql.org>
List-Owner: <mailto:pgsql-admin-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-admin>
Archived-At: 
 <https://www.postgresql.org/message-id/cf3917de-2136-4237-924a-0f0b66e3587b%40cloud.gatewaynet.com>
Precedence: bulk

This is a multi-part message in MIME format.
--------------M0KVXJAuYYxdx4XNJ9VeAirc
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Στις 18/10/24 14:29, ο/η Domen Šetar έγραψε:

> Hi Admins,
>
> I have faced very strange problem in one of my postgresql servers. We 
> use LDAP authentication.
>
> Several colegues can't login with their AD accounts into the server. I 
> found error messages in postgresql log:
>
> 2024-10-18 07:23:46 CEST [3203974]: [2-1] …  could not search LDAP for 
> filter "(samaccountname=johndoe)" on server "adc1 adc2": Operations error
>
> 2024-10-18 07:23:46 CEST [3203974]: [3-1] … DETAIL:  LDAP diagnostics: 
> 000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this 
> operation a successful bind must be completed on the connection., data 
> 0, v4f7c
>
> 2024-10-18 07:23:46 CEST [3203974]: [4-1] … FATAL:  LDAP 
> authentication failed for user "johndoe”
>
> I can login with my AD account.
>
> Ldapsearch works from the host.
>
> My colegues can login with the same LDAP account to postgresql on 
> antoher hosts.
>
Can you post the effective pg_hba.conf lines? What does the AD logs say ?

BTW, Had you looked for AD alternatives before deploying it? Such as 
FreeIPA ? OpenLDAP ?

> I'm out of ideas what could be wrong.
>
> Best regards!
>
> izum
>
> 	
>
> Domen Šetar
> /Computer Systems Support/
> IZUM – Institute of Information Science| Prešernova ulica 17 | 2000 
> Maribor |Slovenia/
> /T: +386 2 25 20 339| M: +386 41 676 342| www.izum.si 
> <http://www.izum.si/>|domen.setar@izum.si <mailto:domen.setar@izum.si>
>
--------------M0KVXJAuYYxdx4XNJ9VeAirc
Content-Type: multipart/related;
 boundary="------------DR60Ebs4Sa2thDf0DjvY7qWU"

--------------DR60Ebs4Sa2thDf0DjvY7qWU
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Στις 18/10/24 14:29, ο/η Domen Šetar έγραψε:</p>
    <blockquote type="cite"
      cite="mid:c3560ede2a4c4892abf29448e7e07755@izum.si">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <meta name="Generator"
        content="Microsoft Word 15 (filtered medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style>@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
	{font-family:Aptos;}p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	font-size:12.0pt;
	font-family:"Aptos",sans-serif;
	mso-ligatures:standardcontextual;
	mso-fareast-language:EN-US;}span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Aptos",sans-serif;
	color:windowtext;}.MsoChpDefault
	{mso-style-type:export-only;
	mso-fareast-language:EN-US;}div.WordSection1
	{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span style="font-size:11.0pt">Hi Admins,<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt">I have faced
            very strange problem in one of my postgresql servers. We use
            LDAP authentication.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt">Several
            colegues can't login with their AD accounts into the server.
            I found error messages in postgresql log:<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt">2024-10-18
            07:23:46 CEST [3203974]: [2-1] …  could not search LDAP for
            filter "(samaccountname=johndoe)" on server "adc1 adc2":
            Operations error<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt">2024-10-18
            07:23:46 CEST [3203974]: [3-1] … DETAIL:  LDAP diagnostics:
            000004DC: LdapErr: DSID-0C090C78, comment: In order to
            perform this operation a successful bind must be completed
            on the connection., data 0, v4f7c<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt">2024-10-18
            07:23:46 CEST [3203974]: [4-1] … FATAL:  LDAP authentication
            failed for user "johndoe</span><span
            style="font-size:11.0pt" lang="EN-US">”<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt">I can login
            with my AD account.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt">Ldapsearch
            works from the host.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt">My colegues
            can login with the same LDAP account to postgresql on
            antoher hosts.<o:p></o:p></span></p>
      </div>
    </blockquote>
    <p>Can you post the effective pg_hba.conf lines? What does the AD
      logs say ?</p>
    <p>BTW, Had you looked for AD alternatives before deploying it? Such
      as FreeIPA ? OpenLDAP ?<br>
    </p>
    <blockquote type="cite"
      cite="mid:c3560ede2a4c4892abf29448e7e07755@izum.si">
      <div class="WordSection1">
        <p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt">I'm out of
            ideas what could be wrong.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
        <p class="MsoNormal"
style="margin-bottom:10.0pt;line-height:115%;text-autospace:ideograph-other;vertical-align:baseline">
          <span
style="font-size:11.0pt;line-height:115%;font-family:&quot;Calibri&quot;,sans-serif;mso-ligatures:none">Best
            regards!<o:p></o:p></span></p>
        <table class="MsoNormalTable" style="border-collapse:collapse"
          width="0" cellspacing="0" cellpadding="0" border="0">
          <tbody>
            <tr style="height:58.6pt">
              <td
style="width:11.45pt;padding:0cm 0cm 0cm 0cm;height:58.6pt" width="15">
                <p class="MsoNormal" style="text-align:center"
                  align="center"><span
style="font-family:&quot;Calibri&quot;,sans-serif;mso-fareast-language:SL"><img
                      style="width:.7395in;height:.7395in"
                      id="Picture_x0020_7"
src="cid:part1.PNOMdiWj.nCYP3nBt@cloud.gatewaynet.com" alt="izum"
                      class="" width="71" height="71"><span
                      style="mso-ligatures:none"><o:p></o:p></span></span></p>
              </td>
              <td
style="width:406.75pt;padding:0cm 0cm 0cm 2.85pt;height:58.6pt"
                width="542">
                <p class="MsoNormal" style="margin-left:1.35pt"><span
style="font-family:&quot;Calibri&quot;,sans-serif;color:#548DD4;mso-ligatures:none;mso-fareast-language:SL">Domen
                    Šetar</span><span
style="font-size:14.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-ligatures:none;mso-fareast-language:SL"><br>
                  </span><i><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#333333;mso-ligatures:none;mso-fareast-language:SL"
                      lang="EN-GB">Computer Systems Support</span></i><span
style="font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-ligatures:none;mso-fareast-language:SL"><br>
                  </span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#939598;mso-ligatures:none;mso-fareast-language:SL">IZUM
                    – Institute of Information Science</span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#F57E20;mso-ligatures:none;mso-fareast-language:SL">
                  </span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#939598;mso-ligatures:none;mso-fareast-language:SL">|
                    Prešernova ulica 17 | 2000 Maribor |</span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#F57E20;mso-ligatures:none;mso-fareast-language:SL">
                  </span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#939598;mso-ligatures:none;mso-fareast-language:SL">Slovenia</span><i><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#333333;mso-ligatures:none;mso-fareast-language:SL"><br>
                    </span></i><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#939598;mso-ligatures:none;mso-fareast-language:SL">T:
                    +386 2 25 20 339</span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#F57E20;mso-ligatures:none;mso-fareast-language:SL">
                  </span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#939598;mso-ligatures:none;mso-fareast-language:SL">|
                    M: +386 41 676 342</span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#F57E20;mso-ligatures:none;mso-fareast-language:SL">
                  </span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#939598;mso-ligatures:none;mso-fareast-language:SL">|
                  </span><span
style="font-family:&quot;Times New Roman&quot;,serif;mso-ligatures:none;mso-fareast-language:SL"><a
                      href="http://www.izum.si/" moz-do-not-send="true"><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#548DD4">www.izum.si</span></a></span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#548DD4;mso-ligatures:none;mso-fareast-language:SL">
                  </span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#939598;mso-ligatures:none;mso-fareast-language:SL">|</span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#73BD9A;mso-ligatures:none;mso-fareast-language:SL">
                  </span><span
style="font-size:10.0pt;font-family:&quot;Calibri&quot;,sans-serif;mso-ligatures:none;mso-fareast-language:SL"><a
                      href="mailto:domen.setar@izum.si"
                      moz-do-not-send="true"><span style="color:blue">domen.setar@izum.si</span></a></span><span
style="font-family:&quot;Calibri&quot;,sans-serif;mso-ligatures:none;mso-fareast-language:SL"
                    lang="EN-GB"><o:p></o:p></span></p>
              </td>
            </tr>
          </tbody>
        </table>
        <p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:none;mso-fareast-language:SL"><o:p> </o:p></span></p>
        <p class="MsoNormal"><o:p> </o:p></p>
      </div>
    </blockquote>
  </body>
</html>
--------------DR60Ebs4Sa2thDf0DjvY7qWU
Content-Type: image/jpeg; name="image002.jpg"
Content-Disposition: inline; filename="image002.jpg"
Content-Id: <part1.PNOMdiWj.nCYP3nBt@cloud.gatewaynet.com>
Content-Transfer-Encoding: base64

/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRof
Hh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwh
MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAAR
CABHAEcDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAA
AgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkK
FhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWG
h4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl
5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREA
AgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYk
NOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOE
hYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk
5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+iiigArN1OR0vdIVXZVe8ZXAONw8mU4P
4gH8K0qwvE2q6ZoqaZfarctbwJeYVwpYbjFIOcc4xn8cVUU27ImTsrhqU0qaN4idZXVokk8t
g2Cn7hTx6c81uD7o+lcFf+PfBsmmarF/bYb7Wj5VInLDMYTAyME8frXer90fSnKLjuhRkm9G
LRRRUFhRRRQAUUUUAFZev2Oj32lsuuR2z2UbCQm4ICoR0OT06n8zWpXJ+PNP07VLPSbTVGuB
bPqAOLeMuxYQykAgAnHHPB/qLp/EiZ/Czj4brw1f6odK0bwvDr1swMc1zBYRQtDkdfMwqnrx
936mvWx0rjfsNg2lyaZa6tqNlDLG0KD7KIUXcMDnylA6+oNdkOgqqruyKSsLRRRWRqFFFFAB
RRRQAVz3i7XZfD9pYXUOmy6g0l2IjDCu6QAxyElR6jb+Wa6Guc8Y3mtWVnp76FFDPeNd4MMu
MSIIpGKg9j8vXIq6avJJkVHaLOavfGer67ZT6VY+DtWjmvI2g827iMccYYbdzHHQZzivRYlZ
YkVm3MFAJ9TXn8vjKDxFoGoJaXVzo2v2MDym0lO1wyrkjBGHHHpkegzXoQ+6PpV1VbS1iaev
W4tFFFYmoUUUUAFFFFABXM+NLvTLG00y51S/ubCOO+UxXMAB2P5cn3gVbKkbh07iumrG1+ys
NQfS7XULNLqJ7w7UkAKhhDKckEHdxnj1IParhZS1Jnfl0OB8X6v8O/Etg8lxqii+ijJiuIIm
EuQOn3QDn0P6V6sv3R9K4/UfDfhhdJ1iQ+HNPH2WJwfLgRWOIw3DbflPOM9sZrsB0FVUlFpK
N/mRTi022LRRRWRqFFFFABRRRQAVmar/AMf+i/8AX63/AKImooprcUtilqv/ACA/E/8A1zk/
9J1rfHQUUU3sJbi0UUVJQUUUUAf/2Q==

--------------DR60Ebs4Sa2thDf0DjvY7qWU--

--------------M0KVXJAuYYxdx4XNJ9VeAirc--