percona-postgresql-operator icon indicating copy to clipboard operation
percona-postgresql-operator copied to clipboard
verified publisher icon percona

ldap auth not working via ldaps in verison 2.6.0

Open ferenc-kiss opened this issue 7 months ago • 0 comments

Report

Ldaps authentication not working in the version 2.6.0 because the postgresql cannot connect to the ldap server.

More about the problem

When user want to sign in to the database, the postgresql cannot connect to ldap server because tls negotiation failed even when the ldap certificate is trusted by openssl s_client in the conatiner. In the new version the LDAPTLS_CACERT environment variable points to the /etc/postgres/ldap/ca.crt file in the statefulset. This file doesn't exists and you can't create with initContainer, secret or configMap, cannot mount a PVC, etc...

Steps to reproduce

  1. Install the postgresql-operator in a namespace
  2. Apply PerconaPGCluster kubernetes object:
apiVersion: pgv2.percona.com/v2
kind: PerconaPGCluster
metadata:
  name: percona-nke-psql-17
spec:
  crVersion: 2.6.0
...
  instances:
  - name: instance1
    replicas: 1
...
  patroni:
    syncPeriodSeconds: 10 # default: 10
    leaderLeaseDurationSeconds: 30 # default: 30
    port: 8008
    dynamicConfiguration:
      postgresql:
        pg_hba:
        - host all postgres 10.0.0.0/8 md5
        - host all all 172.16.0.0/12 ldap ldapurl="ldaps://ldap.example.com:636/DC=intra,DC=example,DC=com?sAMAccountName?sub" ldapbinddn="CN=ldap_percona_svc,OU=LDAP_users,DC=intra,DC=example,DC=com" ldapbindpasswd="sompassword"
...
  1. Try to login with ldap user

Versions

  1. Kubernetes: rke2 (rancher managed cluster), 1.31.7
  2. Operator: 2.6.0
  3. Database: 17.4

Anything else?

No response

ferenc-kiss avatar May 27 '25 13:05 ferenc-kiss