LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   PostgreSQL auth over LDAPS: "could not start LDAP TLS session: error code -1" (http://www.linuxquestions.org/questions/linux-server-73/postgresql-auth-over-ldaps-could-not-start-ldap-tls-session-error-code-1-a-906383/)

lefty.crupps 10-04-2011 09:56 AM

PostgreSQL auth over LDAPS: "could not start LDAP TLS session: error code -1"
 
I am trying to get PostgreSQL to authenticate over LDAPS on another server; the PostgreSQL server is Debian 6.0.2 (Squeeze), x64, fully updated as of today:

Package: postgresql
Version: 8.4.8-0squeeze2

Package: gnutls-bin
Version: 2.8.6-1

Followed much of the info from here for my PostgreSQL setup:
http://www.stuartellis.eu/articles/postgresql-setup/

I can get LDAP authentication working, but not LDAPS (/etc/postgresql/8.4/main/pg_hba.conf)
Code:

## This works but isn't encrypted:
local  all        all                              ldap ldapserver=auth.mydomain.net ldapport=389 ldaptls=0 ldapprefix="uid=" ldapsuffix=",ou=People,dc=mydomain,dc=net"

## Hoping to get this working:
# local  all        all                              ldap ldapserver=auth.mydomain.net ldapport=636 ldaptls=1 ldapprefix="uid=" ldapsuffix=",ou=People,dc=mydomain,dc=net"

The error when I try with LDAPS is:
Code:

2011-09-30 14:05:33 CDT LOG:  could not start LDAP TLS session: error code -1
2011-09-30 14:05:33 CDT FATAL:  LDAP authentication failed for user "username"

I can connect to that Auth server on port 636:
Code:

root@pgsql:~# telnet auth.mydomain.net 636
Trying 67.139.30.51...
Connected to auth.mydomain.net.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
root@pgsql:~#

That server is authenticating over LDAPS port 636 for normal uses, but I cannot get PostgreSQL itself to do so. Can anyone assist please?

acid_kewpie 10-05-2011 03:13 AM

are you dealing with ldaps or ldap w/ tls?? using a tls session, with startls, this will use port 389 and convert to an encrypted session, unlike an ssl session on 636 where it's ssl from the very very start.

lefty.crupps 10-06-2011 01:44 PM

I'd like to deal with LDAPS on port 636 using SSLs.

acid_kewpie 10-07-2011 03:22 AM

right, so don't try to use tls then. From a minute on google it looks like you would want to use an ldaps:// style url instead: http://wiki.postgresql.org/wiki/LDAP...ion_against_AD


All times are GMT -5. The time now is 02:07 AM.