> From: Tom Lane <t...@sss.pgh.pa.us> > aaron_wri...@selinc.com writes: > > I recently upgraded from 8.4 to 9.3, and my custom LDAP PAM module no > > longer works. > > 8.4.what and 9.3.what?
8.4.16 to 9.3.4 > Have you checked the behavior in any other releases? Not yet. I was interested in getting a laugh test from the mailing list first; to see if I was completely off my rocker or not. > > In brief, my LDAP PAM module authenticates a centralized user and then > > creates a matching database user, using a separate super user connection > > to the database, before returning successfully from the PAM module. This > > used to work beautifully, but now I get a FATAL error, "role %s does not > > exist". > > That seems mighty Rube Goldbergian >From what I've researched this is the only way to accomplish what I'm trying to. Everything I read online keeps telling me that in order for LDAP to work with postgresql, the user must already exist in the database. Most of the workarounds for this, involve a cron job that sucks up the entire directory of users and creates matching users in the database periodically. That seems a little crazy to me, so I have a PAM LDAP module which creates the users on the fly. > ... but it's not clear why it used to > work and doesn't anymore. If you'd said 9.4 I'd have guessed at a corner > case in catalog snapshot invalidation, but I think 9.3 would just be > looking for the role with SnapshotNow, which should pretty much always > work. (You're sure the transaction in the background is getting committed > in time, right? And it's being sent to the 9.3 DB not the 8.4 one?) The PAM LDAP module uses PQconnectdb to create a super user connection to the database. It uses PQexec to run "CREATE USER 'user' PASSWORD NULL IN ROLE 'role';". And finishes up with a PQfinish before PAM_SUCCESS is returned to postgres. I'm a bit limited in my database knowledge, so please let me know if that sequence is leaving something dangling. I see the "CREATE USER" query in the pg_log file. Also, if I try to log in a second time, it works fine. This is presumably because the user now exists. > Also, just to clarify: this is a PAM auth module that just happens to talk > to some LDAP server behind the scenes, right? If Postgres thinks this is > LDAP auth method then some other possibilities open up --- but AFAICS > we've not touched the PAM code since 8.4.2. You're correct, this is a PAM auth module that handles talking to the LDAP server and authenticating the user. pg_hba.conf line includes "host all all 0.0.0.0/0 pam pamservice=..." and there's a matching pam configuration file. I'm not familiar with the "LDAP auth method", but I don't think I can use that as the documents say, "user must already exist" in that situation, which is the same problem I'm trying to fix. > regards, tom lane
