containers icon indicating copy to clipboard operation
containers copied to clipboard
verified publisher icon bitnami

[bitnami/postgresql] Postgres LDAP does not create role by it's own

Open Diegunio opened this issue 1 year ago • 3 comments

Name and Version

bitnami/postgresql:16.4.0

What architecture are you using?

amd64

What steps will reproduce the bug?

  1. base configuration
  2. add provider to your ldap(AD in my case)
  3. Attempt to log in with LDAP account

What is the expected behavior?

LDAP user's role is created by it's own

What do you see instead?

connection failed: connection to server at "192.168.215.1", port 5432 failed: FATAL: role "name.lastname" does not exist

Additional information

No response

Diegunio avatar Sep 24 '24 12:09 Diegunio

Hi,

Could you provide us with a docker-compose that clearly reproduces the issue? We need to understand whether it is an issue in the Bitnami packaging of PostgreSQL or in PostgreSQL itself.

javsalgar avatar Sep 25 '24 08:09 javsalgar

Hi, the origin of this issue comes form using helm chart, but I was able to reproduce it with very basic container configuration. Here's my podman run command

I'm sure LDAP works as expected

podman run -d \
  -e POSTGRESQL_PASSWORD="postgres" \
  -e POSTGRESQL_ENABLE_LDAP="yes" \
  -e POSTGRESQL_LDAP_SERVER="10.10.0.11" \
  -e POSTGRESQL_LDAP_PORT="389" \
  -e POSTGRESQL_LDAP_BASE_DN="OU=team,OU=city,DC=office,DC=example,DC=com" \
  -e POSTGRESQL_LDAP_BIND_DN="CN=user,OU=technical,OU=city,DC=office,DC=example,DC=com" \
  -e POSTGRESQL_LDAP_BIND_PASSWORD="mysecretpwd" \
  -e POSTGRESQL_LDAP_SEARCH_ATTR="sAMAccountName" \
  -p 5432:5432 \
  docker.io/bitnami/postgresql:16.4.0-debian-12-r2

Diegunio avatar Sep 25 '24 09:09 Diegunio

Hi @Diegunio,

As far as I know, the LDAP settings do not create roles and databases for the users in your LDAP server. LDAP settings will be added to your pg_hba.conf, but manual action to create users and grant privileges is still required as described in this guide: https://goteleport.com/learn/postgresql-ldap-authentication/

I used this sample scenario:

services:
  ldap-server:
    image: ghcr.io/rroemhild/docker-test-openldap:master
  postgresql:
    image: docker.io/bitnami/postgresql:17
    environment:
      - POSTGRESQL_PASSWORD=postgres
      - POSTGRESQL_ENABLE_LDAP=yes
      - POSTGRESQL_LDAP_SERVER=ldap-server
      - POSTGRESQL_LDAP_PORT=10389
      - POSTGRESQL_LDAP_BASE_DN=ou=people,dc=planetexpress,dc=com
      - POSTGRESQL_LDAP_BIND_DN=cn=admin,dc=planetexpress,dc=com
      - POSTGRESQL_LDAP_BIND_PASSWORD=GoodNewsEveryone
      - POSTGRESQL_LDAP_SEARCH_ATTR=uid
  client:
    image: docker.io/bitnami/postgresql:17
    command:
      - 'tail'
      - '-f'
      - '/dev/null'

Until I got the same error:

psql: error: connection to server at "postgresql" (172.18.0.3), port 5432 failed: FATAL:  role "professor" does not exist

The error was fixed after I logged in as postgres user and executed the following commands:

CREATE ROLE professor WITH LOGIN;
CREATE DATABASE professor;
GRANT ALL PRIVILEGES ON DATABASE "professor" to professor;

After that, login succeeds using LDAP user password:

I have no name!@6d157e116386:/$ /opt/bitnami/scripts/postgresql/entrypoint.sh psql --host postgresql -p 5432 --username 'professor'
postgresql 14:59:46.02 INFO  ==> 
postgresql 14:59:46.02 INFO  ==> Welcome to the Bitnami postgresql container
postgresql 14:59:46.02 INFO  ==> Subscribe to project updates by watching https://github.com/bitnami/containers
postgresql 14:59:46.02 INFO  ==> Submit issues and feature requests at https://github.com/bitnami/containers/issues
postgresql 14:59:46.03 INFO  ==> Upgrade to Tanzu Application Catalog for production environments to access custom-configured and pre-packaged software components. Gain enhanced features, including Software Bill of Materials (SBOM), CVE scan result reports, and VEX documents. To learn more, visit https://bitnami.com/enterprise
postgresql 14:59:46.03 INFO  ==> 

Password for user professor: 
psql (17.0)
Type "help" for help.

professor=>

Maybe what your use case requires some additional scripting or external tools such as pg-ldap-sync

migruiz4 avatar Oct 08 '24 15:10 migruiz4

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] avatar Oct 24 '24 01:10 github-actions[bot]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

github-actions[bot] avatar Oct 29 '24 01:10 github-actions[bot]