7

I presently use "md5" authentication for access from the lan:

host all all 192.168.1.0/24 md5

I want to add ldap authentication method, so I added this line before:

host all all 192.168.1.0/24 ldap "ldap://192.168.1.2/basedn;uid=;,cn=xx,dc=yy,dc=zz,dc=ca"

This work great with ldap accounts, but if I try to login with an account not present on the LDAP server, the login fails (postgresql doesn't try the md5 authentication).

There is a way to support more than one authentication method with postgresql?

Francis
  • 481
  • 2
  • 7
  • 19

3 Answers3

6

No -- Since the pg_hba.conf records are examined sequentially for each connection attempt, the order of the records is significant. -- In other words "First match is the method I'm going to use".
You would have to explicitly list all the local (md5) accounts before proceeding to the "all users" LDAP authentication in order for this to work (and that starts to get hairy with maintaining the pg_hba.conf file).

As a workaround you can use the pam authentication method, and configure PAM's "postgres" service to use whatever methods you wish (including falling back to alternate methods), but this limits you to whatever PAM modules are installed/configured on your system.
(For suitably broad definitions of "limits" -- e.g. you could use one-time passwords for Postgres accounts if you use PAM as the authentication method).

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • Thank you for the answer. I defined this rule: `host all @pgUsers 192.168.1.0/24 md5` and created a pgUsers file to define user to authenticate against pg authentication instead of ldap. Seem to work great. – Francis Mar 19 '12 at 12:37
  • Also a good solution -- the only downside I see is that it doesn't buy you the (potential for) single sign-on like LDAP would. – voretaq7 Mar 19 '12 at 15:29
  • I still use LDAP for authenticating my users. I use postgresql auth only for users account used by web applications because I don't want to create them LDAP accounts. – Francis Mar 19 '12 at 18:41
0

This works for me :

local all postgres peer

host all user1,user2 0.0.0.0/0 ldap ldapserver=192.168.0.1 ldapbasedn="DC=domain,DC=local" ldapbinddn="admin@domain" ldapbindpasswd="*******" ldapsearchattribute="sAMAccountName"

local all all peer

host all all 0.0.0.0/0 md5

host all all 10.10.10.2/32 trust #Don't mind this line...

Metratheol
  • 1
  • 1
0

I ran into this same problem; I wanted to use md5 for an application user and ldap for other users in my organization. One difference is that I am using the official Docker Postgres image, but my method should still work for the regular Postgresql users.

The Docker Postgres image comes with a postgres user by default. You can add a specific user to your pg_hba.conf file by pre-pending the username with a plus sign +.

My pg_hba.conf ended up being the following:

local all all                    trust
host  all all       127.0.0.1/32 trust
host  all all       ::1/128      trust
host  all +postgres all          md5
host  all all       all          ldap ldapurl="ldap://192.168.1.2:389/ou=People,dc=Company,dc=com?uid?one"

The second to last line there supports the application user, postgres, and the last line there supports multiple LDAP user accounts.

xhienne
  • 178
  • 6
NHenderson
  • 101
  • 1
  • 2
    AFAIK the +abcd notation does not mean "add a specific user" but "allow ANY local user in the group abcd". – xhienne Jan 04 '19 at 12:20