Home / server / Questions / 370543
Accepted
Francis
Asked: 2012-03-17 11:53:05 +0800 CST

Multiples authentication methods for Postgresql

  • 772

I presently use "md5" authentication for access from the lan:

host all all 192.168.1.0/24 md5

I want to add ldap authentication method, so I added this line before:

host all all 192.168.1.0/24 ldap "ldap://192.168.1.2/basedn;uid=;,cn=xx,dc=yy,dc=zz,dc=ca"

This work great with ldap accounts, but if I try to login with an account not present on the LDAP server, the login fails (postgresql doesn't try the md5 authentication).

There is a way to support more than one authentication method with postgresql?

authentication ldap postgresql

3 Answers

  1. Best Answer

    No -- Since the pg_hba.conf records are examined sequentially for each connection attempt, the order of the records is significant. -- In other words "First match is the method I'm going to use".
    You would have to explicitly list all the local (md5) accounts before proceeding to the "all users" LDAP authentication in order for this to work (and that starts to get hairy with maintaining the pg_hba.conf file).

    As a workaround you can use the pam authentication method, and configure PAM's "postgres" service to use whatever methods you wish (including falling back to alternate methods), but this limits you to whatever PAM modules are installed/configured on your system.
    (For suitably broad definitions of "limits" -- e.g. you could use one-time passwords for Postgres accounts if you use PAM as the authentication method).

    • 6

  2. I ran into this same problem; I wanted to use md5 for an application user and ldap for other users in my organization. One difference is that I am using the official Docker Postgres image, but my method should still work for the regular Postgresql users.

    The Docker Postgres image comes with a postgres user by default. You can add a specific user to your pg_hba.conf file by pre-pending the username with a plus sign +.

    My pg_hba.conf ended up being the following:

    local all all                    trust
host  all all       127.0.0.1/32 trust
host  all all       ::1/128      trust
host  all +postgres all          md5
host  all all       all          ldap ldapurl="ldap://192.168.1.2:389/ou=People,dc=Company,dc=com?uid?one"

    The second to last line there supports the application user, postgres, and the last line there supports multiple LDAP user accounts.

    • 0

  3. This works for me :

    local all postgres peer

    host all user1,user2 0.0.0.0/0 ldap ldapserver=192.168.0.1 ldapbasedn="DC=domain,DC=local" ldapbinddn="admin@domain" ldapbindpasswd="*******" ldapsearchattribute="sAMAccountName"

    local all all peer

    host all all 0.0.0.0/0 md5

    host all all 10.10.10.2/32 trust #Don't mind this line...

    • 0