LDAP with postgres

If you need LDAP auth for postfix, the easiest way to do this is to use pam auth.

I have pam auth, using LDAP over TLS, working with RHEL 7 and postgres 12.

I created a test database user myuser

I then edited pg_hba.conf

added this line:

 local   all             myuser              pam pamservice=postgresql

I edited /etc/pam.d/postgresql to match this: 

#%PAM-1.0

#auth include password-auth

#account include password-auth

auth        required      pam_env.so

auth        required      pam_faildelay.so delay=2000000

auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 500 quiet

auth        [default=1 ignore=ignore success=ok] pam_localuser.so

auth        sufficient    pam_unix.so try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet_success

auth        sufficient    pam_sss.so forward_pass

auth        required      pam_deny.so

account     required      pam_access.so accessfile=/etc/security/postgres_access.conf

account     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

account     required      pam_unix.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     required      pam_permit.so

Then created the postgres access control file, /etc/security/postgres_access.conf

as this:

###################################################################

# postgres access control table.

##############################################################################

#-:ALL EXCEPT oracle stdsmont root:LOCAL

+:@mynetgroup:ALL

-:ALL:ALL

Then changed the perm on the

# ls -l  /etc/security/postgres_access.conf

 -rw-r--r-- 1 root root 2088 Jan  8 10:50 /etc/security/postgres_access.conf

I then restarted the postgres-12 service.

I can now log into the database with my LDAP credentials:

[root@caroldaps14 ~]# su - postgres

Last login: Wed Jan  8 10:55:32 PST 2020 on pts/0

-bash-4.2$  psql -d postgres -U myuser -W

Password:

psql (12.1)

Type "help" for help.

postgres=#

My access is permitted because a netgroup in the access control file is allowed that contains my account. The accounts passwords and the access permissions are stored in the LDAP directory.