Hi, I am just back from holiday and wanted to test the same (as I authored this LDAP change request I think its overdue to test it __ ))
To ensure the env is fine I executed ldapsearch on the docker host to have some check first: ldapsearch -LLL -x -h ldap.mgi.de:389 -D "cn=SVCLDAP,cn=Users,dc=asf,dc=madm,dc=net" -w xxxxxx -b"dc=madm,dc=net" userPrincipalName=heiko.onnebr...@metronom.com I got some fine output back within some ms: dn: CN=Onnebrink Heiko,OU=HQ01-DUS,OU=Users,OU=DE,OU=MSYS,DC=r2,DC=madm,DC=netobjectClass: topobjectClass: person objectClass: organizationalPerson objectClass: user cn: Onnebrink Heiko sn: Onnebrink c: DE l: Duesseldorf title: Mr description: XPC User (migriert) - managed by identityDirectory postalCode: 40235 physicalDeliveryOfficeName: 09.02.207 etc (truncated) Next I transferred the args from test and passed them to pgBadger docker container docker run -p 443:443 -e PGADMIN_DEFAULT_EMAIL=ad...@metronom.com -e PGADMIN_DEFAULT_PASSWORD=admin -e 'PGADMIN_CONFIG_AUTHENTICATION_SOURCES=["ldap"]' -e 'PGADMIN_CONFIG_LDAP_SERVER_URI="ldap://ldap.mgi.de:389";' -e 'PGADMIN_CONFIG_LDAP_USERNAME_ATTRIBUTE="userPrincipalName"' -e 'PGADMIN_CONFIG_LDAP_BIND_USER="cn=SVCLDAP,cn=Users,dc=asf,dc=madm,dc=net"' -e 'PGADMIN_CONFIG_LDAP_BIND_PASSWORD="xxxxxx"' -e 'PGADMIN_CONFIG_LDAP_SEARCH_BASE_DN="dc=madm,dc=net"' -e PGADMIN_CONFIG_LDAP_AUTO_CREATE_USER=True -e PGADMIN_ENABLE_TLS=TRUE -v '/dockerdata/pgadmin/servers.json:/servers.json' -v '/dockerdata/pgadmin/server.cert:/certs/server.cert' -v '/dockerdata/pgadmin/server.key:/certs/server.key' --name pgadminssl registry.metroscales.io/rdb-dev/pgadmin:latest NOTE: Configuring authentication for SERVER mode. sudo: setrlimit(RLIMIT_CORE): Operation not permitted [2020-08-11 10:45:49 +0000] [1] [INFO] Starting gunicorn 19.9.0 [2020-08-11 10:45:49 +0000] [1] [INFO] Listening at: http://[::]:443 (1) [2020-08-11 10:45:49 +0000] [1] [INFO] Using worker: threads /usr/local/lib/python3.8/os.py:1023: RuntimeWarning: line buffering (buffering=1) isn't supported in binary mode, the default buffer size will be used return io.open(fd, *args, **kwargs) [2020-08-11 10:45:49 +0000] [97] [INFO] Booting worker with pid: 97 I started up pgAdmin web and entered heiko.onnebr...@metronom.com with pwd as credentials After logon a new window pops up with this Json result { success:0, result:null, info:"", data:null, errormsg:"error receiving data: timed out" } Here the error stack from pgAdmin container: ::ffff:10.97.177.148 - - [11/Aug/2020:10:49:02 +0000] "GET / HTTP/1.1" 302 237 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" ::ffff:10.97.177.148 - - [11/Aug/2020:10:49:02 +0000] "GET /login?next=%2F HTTP/1.1" 200 1698 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2020-08-11 10:49:27,835: ERROR flask.app: error receiving data: timed out Traceback (most recent call last): File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 82, in receiving data = self.connection.socket.recv(self.socket_size) socket.timeout: timed out During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1813, in full_dispatch_request rv = self.dispatch_request() File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1799, in dispatch_request return self.view_functions[rule.endpoint](**req.view_args) File "/pgadmin4/pgadmin/authenticate/__init__.py", line 55, in login status, msg = auth_obj.authenticate() File "/pgadmin4/pgadmin/authenticate/__init__.py", line 118, in authenticate status, msg = source.authenticate(self.form) File "/pgadmin4/pgadmin/authenticate/ldap.py", line 73, in authenticate status, ldap_user = self.search_ldap_user() File "/pgadmin4/pgadmin/authenticate/ldap.py", line 228, in search_ldap_user self.conn.search(search_base=search_base_dn, File "/usr/local/lib/python3.8/site-packages/ldap3/core/connection.py", line 819, in search response = self.post_send_search(self.send('searchRequest', request, controls)) File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 139, in post_send_search responses, result = self.get_response(message_id) File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/base.py", line 353, in get_response responses = self._get_response(message_id, timeout) File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 157, in _get_response responses = self.receiving() File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 92, in receiving raise communication_exception_factory(LDAPSocketReceiveError, type(e)(str(e)))(self.connection.last_error) ldap3.core.exceptions.LDAPSocketReceiveError: error receiving data: timed out ::ffff:10.97.177.148 - - [11/Aug/2020:10:49:27 +0000] "POST /authenticate/login HTTP/1.1" 500 94 "https://10.96.48.68/login?next=%2F"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" Thanks for any advice cheers Heiko From: Khushboo Vashi <khushboo.va...@enterprisedb.com> Date: Tuesday, 11. August 2020 at 06:09 To: Hendrik Hansmeier <hendrik.hansme...@hh-it.co> Cc: "pgadmin-support lists.postgresql.org" <pgadmin-support@lists.postgresql.org> Subject: [EXT] Re: pgadmin4 container deployment with ldap-authentication Hi, On Tue, Aug 11, 2020 at 4:35 AM Hendrik Hansmeier <mailto:hendrik.hansme...@hh-it.co> wrote: Hi, i am trying to get pgadmin4 running in server-mode as a docker-container. So i pulled the image and after i tried out the image a little bit, i tried to use ldap-authentication. Unfortunately, i didn't get it running as expected. I am not able to authenticate against my samba 4-domain. This is how i tried to launch the container: docker run -p 8280:80 -e "PGADMIN_DEFAULT_EMAIL=<emailAddress>" -e "PGADMIN_DEFAULT_PASSWORD=<password>" -e "AUTHENTICATION_SOURCES=['ldap']" -e "LDAP_AUTO_CREATE_USER=True" -e "LDAP_SERVER_URI='ldaps://<domaincontroller>:636'" -e "LDAP_BASE_DN='cn=Users,dc=mydomain,dc=local'" -e "LDAP_BIND_USER='cn=User1,cn=Users,dc=mydomain,dc=local'" -e "LDAP_BIND_PASSWORD=<BindDNPassword>" -e "LDAP_CA_CERT_FILE='/etc/ssl/certs/myca.pem'" -e "LDAP_CERT_FILE='/etc/ssl/certs/my.cert.pem'" -e "LDAP_KEY_FILE='/etc/ssl/private/my.key.pem'" -d dpage/pgadmin4 I am using the container behind a reverse-proxy on nginx (debian buster), for the first try via http. The authentication with the given user PGADMIN_DEFAULT_EMAIL works as expected but ldap-authentication results in an error-message "Specified user does not exist". Am i using the environment-parameters for ldap-authentication correctly? May a reverse-proxy over https help to get ldaps working? The variable prefix "PGADMIN_CONFIG_" should be used to override any of the configuration options in pgAdmin’s config.py file. So add this prefix to all the config params you have used. (Ex, AUTHENTICATION_SOURCES, LDAP_SERVER_URI etc...) Ex: AUTHENTICATION_SOURCES should be PGADMIN_CONFIG_AUTHENTICATION_SOURCES Please refer https://www.pgadmin.org/docs/pgadmin4/4.24/container_deployment.html#environment-variables for more information. Also, set LDAP_SEARCH_BASE_DN param which is required to configure LDAP Authentication in Dedicated User mode (which you have configured). Please refer https://www.pgadmin.org/docs/pgadmin4/4.24/enabling_ldap_authentication.html Thanks, Khushboo -- Best regards, Hendrik Hansmeier Hendrik Hansmeier IT-Consulting ::: Bunsenstraße 5 ::: 51647 Gummersbach FON +49 (0) 2261 814 174 ::: MOB +49 (0) 151 235 866 02 ::: E-MAIL mailto:hendrik.hansme...@hh-it.co USt-IdNr.: DE311717013 ::: Finanzamt Gummersbach Geschäftsanschrift/Business address: METRO-NOM GmbH, Metro-Straße 12, 40235 Duesseldorf, Germany Aufsichtsrat/Supervisory Board: Olaf Koch (Vorsitzender/Chairman) Geschäftsführung/Management Board: Timo Salzsieder (Vorsitzender/CEO), Felix Lindemann (COO), Frank Hammerle (CFO) Sitz Düsseldorf, Amtsgericht Düsseldorf, HRB 18232/Registered Office Düsseldorf, Commercial Register of the Düsseldorf Local Court, HRB 18232 Betreffend Mails von *@metronom.com <http://metrosystems.net/> Die in dieser E-Mail enthaltenen Nachrichten und Anhänge sind ausschließlich für den bezeichneten Adressaten bestimmt. Sie können rechtlich geschützte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfänger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfältigung oder Weitergabe der Nachrichten und Anhänge untersagt. Falls Sie diese E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den Absender und vernichten Sie die E-Mail. Regarding mails from *@metronom.com <http://metrosystems.net/> This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was
