Effectively working with LDAP as an authentication mechanism for PostgreSQL typically requires extensive knowledge in both domains. While trying to be as complete yet succinct as possible, I’m detailing how to enable TLS between a PostgreSQL and the OpenLDAP server.
Ironically, the most complicated aspect has nothing to do with either PostgreSQL or OpenLDAP but with the steps of creating and signing private keys and certificates.
Note: I had seriously thought about leaving out much of the OpenLDAP commands, but I figured it might benefit you if you’re like me since I don’t touch this very often.
The underlying assumptions are:
The Proof Of Concept described in this document consists of a single stand-alone server:
Apart from the standard steps of installing and configuring Postgres for remote access, edit the host-based authentication file enabling Postgres to refer to the LDAP service for authentication.
ROLES and useraccounts used in Postgres should be declared. Keep in mind that assigning passwords is NOT required:
|
1 |
-- Example<br>create role user1 with login password null;<br>create role user2 with login password null; |
pg_hba.conf assumptions:
|
1 |
# IPv4 local connections:<br>host all all 0.0.0.0/0 ldap ldapserver=127.0.0.1 ldapprefix="cn=" ldapsuffix=", dc=pg_user, dc=nodomain"<br><br># IPv6 local connections:<br>host all all ::0/0 ldap ldapserver=127.0.0.1 ldapprefix="cn=" ldapsuffix=", dc=pg_user, dc=nodomain" |
|
1 |
apt-get install -y slapd ldap-utils |
Running netstat, (netstat -tlnp), returns the following:
|
1 |
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name <br>tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 7742/slapd <br>tcp6 0 0 :::389 :::* LISTEN 7742/slapd |
You can control the behavior of OpenLDAP by using these command line utilities:
It is understood that administering the LDAP server requires setting the password. Although the installation of LDAP includes setting the password, which will be admin, by executing the following command, one can reset the password at will:
|
1 |
# Select "No" when asked to configure the database with dbconfig-common.<br># Set the domain name for your LDAP server, for example, "example.com".<br># Set the organization name for your LDAP server, for example, "Example Inc".<br># Set the administrator password for your LDAP server.<br><br>dpkg-reconfigure slapd |
The following bash script demonstrates configuring OpenLDAP to authenticate three Postgres ROLES, i.e., postgres, user1, and user2:
|
1 |
#!/bin/bash<br>set -e<br>##########################################<br>#<br># admin password is "admin"<br># the top domain is assigned as "nodomain"<br>#<br>ldapadd -v -xD "cn=admin,dc=nodomain" -w admin <<_eof_<br># create the topmost domain<br>dn: dc=pg_user,dc=nodomain<br>objectClass: dcObject<br>objectClass: organization<br>dc: pg_user<br>o: Postgres Users<br>description: all postgres users reside here<br><br># create SUPERUSER ROLE postgres<br>dn: cn=postgres,dc=pg_user,dc=nodomain<br>objectclass: top<br>objectclass: person<br>cn: postgres<br>sn: postgres<br>userPassword: postgres<br>_eof_<br><br>#<br>##########################################<br># ADD ROLES<br><br>ldapadd -v -xD "cn=admin,dc=nodomain" -w admin <<_eof_<br># creating other user accounts, down the road<br># create role user1<br>dn: cn=user1,dc=pg_user,dc=nodomain<br>objectclass: top<br>objectclass: person<br>cn: user1<br>sn: user1<br>userPassword: user1<br><br># create role user2<br>dn: cn=user2,dc=pg_user,dc=nodomain<br>objectclass: top<br>objectclass: person<br>cn: user2<br>sn: user2<br>userPassword: user2<br>_eof_ |
A simple login confirms LDAP and PostgreSQL are working correctly. Even though there is an encrypted session between psql and the Postgres server, there is no encrypted session between Postgres and LDAP as authentication is performed:
|
1 |
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)<br>root@my-ldap:~# psql 'host=my-ldap dbname=postgres user=postgres password=postgres' -c "select 'ping' as test_connectivity" <br>test_connectivity <br>-------------------<br>ping<br><br>root@my-ldap:~# psql 'host=my-ldap dbname=postgres user=user1 password=user1' -c "select 'ping from user1' as test_connectivity" <br>test_connectivity <br>-------------------<br>ping from user1<br><br>root@my-ldap:~# psql 'host=my-ldap dbname=postgres user=user2 password=user2' -c "select 'ping from user2' as test_connectivity" <br>test_connectivity <br>-------------------<br>ping from user2<br> |
To work with SSL certificates, these packages should be present, i.e., for the Ubuntu distribution:
|
1 |
apt install -y gnutls-bin ssl-cert |
Authentication between the Postgres and LDAP servers includes that the hosts making connection attempts are, in fact, legitimate. For that reason, the certificates for both servers must be signed, i.e., a Certificate Authority mechanism is required.
|
1 |
#<br># Generate private key for self-signed Certificate Authority<br>#<br>certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/mycakey.pem |
In this case, the CA certificate is configured to expire in ten years:
|
1 |
#<br># Define CA certificate attributes<br>#<br>echo "cn = my-ldap<br>ca<br>cert_signing_key<br>expiration_days = 3650" > /etc/ssl/ca.info |
An internal system can get away using self-signed CA certificates, otherwise, it is strongly recommended that your certificates be signed by an authorized CA. In this case, the certificate, once signed, is placed in the same directory where the other CA certificates are stored, i.e., /usr/local/share/ca-certificates:
|
1 |
#<br># Generate a self-signed CA certificate and<br># copy the CRT to other trusted CA certificates that includes<br># both postgres and ldap servers (/usr/local/share/ca-certificates/)<br>#<br>certtool --generate-self-signed <br>--load-privkey /etc/ssl/private/mycakey.pem <br>--template /etc/ssl/ca.info <br>--outfile /usr/local/share/ca-certificates/mycacert.crt |
ATTENTION: Once signed, the CA certificate is copied onto the Postgres and LDAP servers respectively. In this case, as they are on the same host, it is located on host my-ldap. Otherwise, it MUST be copied to all Postgres and LDAP hosts.
Once copied into the correct directory, the list of CA certificates is updated, adding the self-signed CA certificate:
|
1 |
#<br># Update list of CA certificate on both<br># postgres and LDAP servers<br>#<br>update-ca-certificates |
From here on, it is important to include the fully qualified domain name of the LDAP certificate hostname, i.e., my-ldap.
Generate a private key for LDAP server:
|
1 |
certtool --generate-privkey <br>--bits 2048 <br>--outfile /etc/ldap/my-ldap_slapd_key.pem |
Define LDAP certificate attributes:
|
1 |
# for a certificate request which expires<br># in one year<br>#<br>echo "organization = mycompany<br>cn = my-ldap<br>tls_www_server<br>encryption_key<br>signing_key<br>expiration_days = 365" > /etc/ssl/my-ldap.info<br> |
Sign the LDAP private key using the self-signed Certificate Authority certificate and its private key:
|
1 |
certtool --generate-certificate <br>--load-privkey /etc/ldap/my-ldap_slapd_key.pem <br>--load-ca-certificate /etc/ssl/certs/mycacert.pem <br>--load-ca-privkey /etc/ssl/private/mycakey.pem <br>--template /etc/ssl/my-ldap.info <br>--outfile /etc/ldap/my-ldap_slapd_cert.pem |
Update access permissions of the private key:
|
1 |
sudo chgrp openldap /etc/ldap/my-ldap_slapd_key.pem<br>sudo chmod 0640 /etc/ldap/my-ldap_slapd_key.pem |
Create and save the LDAP TLS configuration file, certinfo.ldif:
|
1 |
echo "dn: cn=config<br>add: olcTLSCACertificateFile<br>olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem<br>-<br>add: olcTLSCertificateFile<br>olcTLSCertificateFile: /etc/ldap/my-ldap_slapd_cert.pem<br>-<br>add: olcTLSCertificateKeyFile<br>olcTLSCertificateKeyFile: /etc/ldap/my-ldap_slapd_key.pem" > /etc/ldap/schema/certinfo.ldif |
Enable OpenLDAP to use TLS:
|
1 |
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/certinfo.ldif |
Validation returns the string “anonymous”:
|
1 |
ldapwhoami -x -ZZ -H ldap://my-ldap |
This test confirms that the previous behavior without TLS still works:
|
1 |
# without TLS<br>ldapsearch -x -H ldap://my-ldap -b dc=nodomain -D cn=admin,dc=nodomain -w admin |
This test should return the exact output of the previous ldapsearch. Failure is indicated by a short message which is invoked by using the switch “-zz”.
|
1 |
# with TLS<br>ldapsearch -x -ZZ -H ldap://my-ldap -b dc=nodomain -D cn=admin,dc=nodomain -w admin |
This is the host-based rule with TLS configured; notice the minor edit in red:
|
1 |
# IPv4 local connections:<br>hostssl all all 0.0.0.0/0 ldap ldapserver=tmp ldapprefix="cn=" ldapsuffix=", dc=pg_user, dc=nodomain" <span style="color: #ff0000;">ldaptls=1</span><br><br># IPv6 local connections:<br>host all all ::0/0 ldap <span style="color: #000000;">ldapserver=tmp</span> ldapprefix="cn=" ldapsuffix=", dc=pg_user, dc=nodomain" <span style="color: #ff0000;">ldaptls=1</span> |
After updating pg_hba.conf with the new argument, ldaptls=1, a server reload is executed, followed by a psql ping:
|
1 |
systemctl reload postgresql@14-main |
|
1 |
root@my-ldap:~# psql 'host=10.231.38.243 dbname=postgres user=postgres password=postgres' -c "select 'ping from postgres' as test_connectivity"<br>test_connectivity <br>--------------------<br>ping from postgres |
Percona Distribution for PostgreSQL provides the best and most critical enterprise components from the open-source community, in a single distribution, designed and tested to work together.
