On Tue, Sep 25, 2018 at 2:09 PM Thomas Munro <thomas.mu...@enterprisedb.com> wrote: > Some people like to use DNS SRV records to advertise LDAP servers on > their network. Microsoft Active Directory is usually (always?) set up > that way. Here is a patch to allow our LDAP auth module to support > that kind of discovery. It copies the convention of the OpenLDAP > command line tools: if you give it a URL that has no hostname, it'll > try to extract a domain name from the bind DN, and then ask your DNS > server for a SRV record for LDAP-over-TCP at that domain. The > OpenLDAP version of libldap.so exports the magic to do that, so the > patch is very small (but the infrastructure set-up to test it is a bit > of a schlep, see below). I'll add this to the next Commitfest. > > [long tedious explanation of how to set up a test with BIND and OpenLDAP on > Unix]
Of course the point of this is not really for the Unix-based set-up I described, but for Microsoft environments with one or more AD servers and a PostgreSQL server running on (eg) Linux that wants to find AD. In such environments, from what I can tell, the following should work: Standard DNS lookup tools should be able to find SRV records advertising the host, port and weight (priority) of any AD servers on the network: $ nslookup -type=any _ldap._tcp.YOUR.DOMAIN $ dig srv _ldap._tcp.YOUR.DOMAIN $ host -t srv _ldp._tcp.YOUR.DOMAIN OpenLDAP command line tools should be able to find the AD server via those SRV records, extracting YOUR.DOMAIN from the base DN: $ ldapsearch -H 'ldap:///dc%3DYOUR%2Cdc%3DDOMAIN' ... pg_hba.conf with an explicit LDAP server name should be able to talk to Active Directory without using this patch with something like: host all all 127.0.0.1/32 ldap ldapurl="ldap://YOUR-AD-SERVER.YOUR.DOMAIN/dc=YOUR,dc=DOMAIN?cn?sub"; pg_hba.conf using this patch should be able to discover the LDAP server via SRV if you take out the server name: host all all 127.0.0.1/32 ldap ldapurl="ldap:///dc=YOUR,dc=DOMAIN?cn?sub"; I'm hoping someone can help test this in a real Active Directory environment. -- Thomas Munro http://www.enterprisedb.com
