Re: A vexing problem with LDAP

public inbox for pgsql-novice@postgresql.org  
help / color / mirror / Atom feed

From: Laurenz Albe <laurenz.albe@cybertec.at>
To: Subramanian,Ramachandran <ramachandran.subramanian@alte-leipziger.de>
To: pgsql-novice@lists.postgresql.org <pgsql-novice@lists.postgresql.org>
Subject: Re: A vexing problem with LDAP
Date: Fri, 13 Mar 2026 08:04:19 +0100
Message-ID: <ff5e8a3ba8d97971b2de3194e2bff2239ea715f2.camel@cybertec.at> (raw)
In-Reply-To: <f1741c9e262d4bc8ad285ec7d82bf62e@alte-leipziger.de>
References: <f1741c9e262d4bc8ad285ec7d82bf62e@alte-leipziger.de>

On Fri, 2026-03-13 at 06:57 +0000, Subramanian,Ramachandran wrote:
> We have an USERID ( VALID-USER)  who exists in the LDAP Group G_APP_Postgres_Users. 
>  
> PS H:\> Get-ADUser -LDAPFilter "(&(objectClass=user)(sAMAccountName=VALID-USER)(memberOf=CN=G_APP_Postgres_Users,OU=Anwendungen,OU=Gruppen,OU=Identity,DC=my-Konzern,DC=de))"
>  
> DistinguishedName : CN=VALID-USER,OU=Konten,OU=EWT,OU=PostgreSQL,OU=Ressourcen,DC=my-Konzern,DC=de
> Enabled           : True
> GivenName         : REWT-PostgreSQL
> Name              : VALID-USER
> ObjectClass       : user
> ObjectGUID        : 5a45f8e9-f13b-4ff2-9815-ec85bd0aeb7c
> SamAccountName    : VALID-USER
> SID               : S-1-5-21-4249930229-1474557206-4077294858-125360
> Surname           : Rochade-Konfig
> UserPrincipalName :VALID-USER@my-konzern.de
>  
> However when he tries to connect to postgres we see this error message.
>  
> Postgres-Log
> LOG:  LDAP user "VALID-USER" does not exist
> FATAL:  LDAP authentication failed for user "VALID-USER"
>  
> PG_HBA.CONF entry is shown below.
>  
> pg_hba.conf
> host   all             all              0.0.0.0/0             ldap ldapserver=ldap.my-konzern.de ldapport=389 ldapbinddn="CN=Postgres-LDAP,OU=Konten,OU=PROD,OU=PostgreSQL,OU=Ressourcen,DC=my-konzern,DC=de" ldapbindpasswd="dF3@3#s$P1" ldapbasedn="OU=Postgres,OU=Ressourcen,DC=my-konzern,DC=de" ldapscheme=ldap ldapsearchfilter="(&(objectClass=user)( sAMAccountName=%u)(memberOf=CN=G_APP_Postgres_Users,OU=Anwendungen,OU=Gruppen,OU=Identity,DC=my-konzern,DC=de))"
>  
> What could be the source of this error?

I'd say that because PostgreSQL <> Postgres, you won't find user
"CN=VALID-USER,OU=Konten,OU=EWT,OU=PostgreSQL,OU=Ressourcen,DC=my-Konzern,DC=de"
under the base distinguished name "OU=Postgres,OU=Ressourcen,DC=my-konzern,DC=de".

Try with ldapbasedn="OU=PostgreSQL,OU=Ressourcen,DC=my-Konzern,DC=de".

> How to debug this problem step by step to see where exactly the chain is disconnected?

Copy and paste is your friend, it avoids typos.

Yours,
Laurenz Albe

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: pgsql-novice@postgresql.org
  Cc: laurenz.albe@cybertec.at, ramachandran.subramanian@alte-leipziger.de, pgsql-novice@lists.postgresql.org
  Subject: Re: A vexing problem with LDAP
  In-Reply-To: <ff5e8a3ba8d97971b2de3194e2bff2239ea715f2.camel@cybertec.at>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox