Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w0wZO-002LZY-06 for pgsql-novice@arkaria.postgresql.org; Fri, 13 Mar 2026 07:04:26 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w0wZM-0023Ib-0K for pgsql-novice@arkaria.postgresql.org; Fri, 13 Mar 2026 07:04:24 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w0wZL-0023IR-2e for pgsql-novice@lists.postgresql.org; Fri, 13 Mar 2026 07:04:24 +0000 Received: from mail-ed1-x543.google.com ([2a00:1450:4864:20::543]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w0wZK-00000001trA-1WA4 for pgsql-novice@lists.postgresql.org; Fri, 13 Mar 2026 07:04:23 +0000 Received: by mail-ed1-x543.google.com with SMTP id 4fb4d7f45d1cf-661b16ac011so3211111a12.2 for ; Fri, 13 Mar 2026 00:04:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec.at; s=google; t=1773385461; x=1773990261; darn=lists.postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date :message-id:reply-to; bh=NJDmWY9NzE4Fij08ZhSvJDeg+NON6NIKwNapE4miM3Y=; b=in7202+kvNSQFUfbbCp3mzILG5so0j385AWplJSvb7p9XwbZMA5NDb3o+QTwtKhsIF 7kgaqLwqNFrBC7+1K2YyjY0PaFUhakIX858vkh83sP+9kKFfWqA2EmgQ2bikqk1VLuPO UNg8KNcL0q0N1j4FWy+3P+orfqcnSDsdASv+3nYtIPm8L4lPVsIqfH5U1X2kCHB7sSEO pZGVw8NGkvEu3n5WBl7WwSDGWsqcZxKR08g5IUA4J/Uk9YUS6DIA+7u0dQO1l+NAFKAJ crchm4kILwlyjx/Lf/UpmetEuhUgt7ChuiWPkMjCUg+SHZeBrQlzt2FKHMigdIjQlxiQ vW8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773385461; x=1773990261; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NJDmWY9NzE4Fij08ZhSvJDeg+NON6NIKwNapE4miM3Y=; b=poV50HnqPwoAvoBA3KrBnSqcM0ML1DhqfRAnqmVfPlP9Po9w2VuXnT5/51FF+ZrO+f T3PaKSHgQX0DZIq6HwZeM3l2Y+mJFezXuqsAv5MLY4IgNagW5A2fg7Bh14iSxdyC1vdm bFQhb8KS7KgFPpjFdE+3iAIIjSL5D3xF3VZThs32IMgAq4GNweNcT4S7NoiafuB2TSCa 4ahqV01wmPiDq5qDQIh61NjmXesza4upa4J/z/TseMwPFXzH9gGo7pD2z1oqWehRihTM Nx412W29ZD15gWnCV42aVfHm4+ghnsxVX9GnEk9UPM9XSJhbZvyz7+o2ly6GRTOh6/+o Sgfw== X-Forwarded-Encrypted: i=1; AJvYcCVYtMh9+Lf9gH7TxxYo3tHgvJtbMqlYUTs8Dj+ehRtCD4R8O+y20ci0SkWzGsig2BgLrdvMwL77c5JDREc=@lists.postgresql.org X-Gm-Message-State: AOJu0YyuIXYIwbwTBPYMKh8I351np5GAM40AgkEWd2ryirAq+9s2wQej VoqJGqspoZftcAE2BFJjb4G1X0+lq7p6hoCrCui599gZi6P5qWW47+TObKwBhOYJRxrsnxw4Bv1 RhhhgpW6jjg== X-Gm-Gg: ATEYQzwgE/VbklVod5NwJp33IL+NSo9X9r1FIkwi0+2LS5GiyyL7cIqAZV5ylHohual TEVpYdJn6rdwOtclZahcfYjnraLAzpku25ln5p81+Iy3LLZLYiJ3fGVvfSEXUGQuOtobbr9EZRv 0UAAMtxmWU2swtIH+iSQEqUBgED9+2pCTDfsqM3H3gogmmPrAuHSC+TevzZv9jeFaAnxXV1LbAc V/OpJml8xKv0G4b2yUKJGn/fL82jVZXSroGpjkE0h5hew7fy1mlyYzTJ9Npg+SolxGEUeqUSKQC qsLXydQj3Nymy9wwDp7+zDEw9PBDrmVesDz7GKUe5S3i3kRwGC7Z0HXKzzgL58yWqS1XakNBDd/ LfnozNE5uUrvIejng3JP3aF22VLiyFkumUmhQ3UL68krGoX51jVWaMnA4e/saXtuKPK6RHFH6Uo 1LUnIjeNNKv8zS5dL2ejbLqEPRvt166/rOyoJPjTa5fpXlcFBz68HLATcIxox2vV8JcHI7k4llF 2Y//Hm0QUvmxbi+cKCuOtmcAOY476AJsNxoMGib2CCa88k= X-Received: by 2002:a17:907:3c88:b0:b87:fc96:835d with SMTP id a640c23a62f3a-b97650fa449mr124717866b.35.1773385460823; Fri, 13 Mar 2026 00:04:20 -0700 (PDT) Received: from laurenz.albe-K4N0CV00F97414D (dynamic-046-114-168-089.46.114.pool.telefonica.de. [46.114.168.89]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b976cbf2393sm23641766b.15.2026.03.13.00.04.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Mar 2026 00:04:20 -0700 (PDT) Message-ID: Subject: Re: A vexing problem with LDAP From: Laurenz Albe To: "Subramanian,Ramachandran" , "pgsql-novice@lists.postgresql.org" Date: Fri, 13 Mar 2026 08:04:19 +0100 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.58.3 (3.58.3-1.fc43) MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, 2026-03-13 at 06:57 +0000, Subramanian,Ramachandran wrote: > We have an USERID ( VALID-USER)=C2=A0 who exists in the LDAP Group G_APP_= Postgres_Users.=C2=A0 > =C2=A0 > PS H:\> Get-ADUser -LDAPFilter "(&(objectClass=3Duser)(sAMAccountName=3DV= ALID-USER)(memberOf=3DCN=3DG_APP_Postgres_Users,OU=3DAnwendungen,OU=3DGrupp= en,OU=3DIdentity,DC=3Dmy-Konzern,DC=3Dde))" > =C2=A0 > DistinguishedName : CN=3DVALID-USER,OU=3DKonten,OU=3DEWT,OU=3DPostgreSQL,= OU=3DRessourcen,DC=3Dmy-Konzern,DC=3Dde > Enabled=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : Tru= e > GivenName=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : REWT-PostgreS= QL > Name=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 : VALID-USER > ObjectClass=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : user > ObjectGUID=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 5a45f8e9-f13b-4ff2= -9815-ec85bd0aeb7c > SamAccountName=C2=A0=C2=A0=C2=A0 : VALID-USER > SID=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 : S-1-5-21-4249930229-1474557206-4077294858-125360 > Surname=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : Roc= hade-Konfig > UserPrincipalName :VALID-USER@my-konzern.de > =C2=A0 > However when he tries to connect to postgres we see this error message. > =C2=A0 > Postgres-Log > LOG:=C2=A0 LDAP user "VALID-USER" does not exist > FATAL:=C2=A0 LDAP authentication failed for user "VALID-USER" > =C2=A0 > PG_HBA.CONF entry is shown below. > =C2=A0 > pg_hba.conf > host=C2=A0=C2=A0 all=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 all=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0.0.0.0/0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ldap ldapserver=3Dldap.my-konzern.d= e ldapport=3D389 ldapbinddn=3D"CN=3DPostgres-LDAP,OU=3DKonten,OU=3DPROD,OU= =3DPostgreSQL,OU=3DRessourcen,DC=3Dmy-konzern,DC=3Dde" ldapbindpasswd=3D"dF= 3@3#s$P1" ldapbasedn=3D"OU=3DPostgres,OU=3DRessourcen,DC=3Dmy-konzern,DC=3D= de" ldapscheme=3Dldap ldapsearchfilter=3D"(&(objectClass=3Duser)( sAMAccoun= tName=3D%u)(memberOf=3DCN=3DG_APP_Postgres_Users,OU=3DAnwendungen,OU=3DGrup= pen,OU=3DIdentity,DC=3Dmy-konzern,DC=3Dde))" > =C2=A0 > What could be the source of this error? I'd say that because PostgreSQL <> Postgres, you won't find user "CN=3DVALID-USER,OU=3DKonten,OU=3DEWT,OU=3DPostgreSQL,OU=3DRessourcen,DC=3D= my-Konzern,DC=3Dde" under the base distinguished name "OU=3DPostgres,OU=3DRessourcen,DC=3Dmy-ko= nzern,DC=3Dde". Try with ldapbasedn=3D"OU=3DPostgreSQL,OU=3DRessourcen,DC=3Dmy-Konzern,DC= =3Dde". > How to debug this problem step by step to see where exactly the chain is = disconnected? Copy and paste is your friend, it avoids typos. Yours, Laurenz Albe