ldap2pg icon indicating copy to clipboard operation
ldap2pg copied to clipboard
verified publisher icon dalibo

Getting errors when I try to run the program, need help setting it up

Open regisfso opened this issue 3 years ago • 3 comments

I need help writing my ldap2pg.yml

Hi everyone, I'm new to LDAP and I'm trying to understand and apply ldap2pg into my company. We have over 300 servers running PostgreSQL and we want to be able to include and delete roles into all of those servers as needed. I'm trying to follow the documentation on the website, but I'm struggling a little. I want to use the LDAP over TCP mode, and login as cn=admin. If I run the ldapwhoami -x -D cn=admin,dc=ldap,dc=company,dc=it -W in the postgres server, it asks me to put the password, and the execution proceeds correctly. Running echo $LDAPPASSWORD gives my password too. There is a ldaprc file with "URI" and "BINDDN" values. I'm using the https://github.com/dalibo/ldap2pg/blob/master/ldap2pg.yml as a base, and a modified little things to test it, but I'm getting errors:

ldap2pg -v
[ldap2pg.config        INFO] Starting ldap2pg 5.8.
[ldap2pg.config       DEBUG] Trying ./ldap2pg.yml.
[ldap2pg.config        INFO] Using /home/synsuite/tmp/ldap/ldap2pg.yml.
[ldap2pg.config       DEBUG] Read verbosity from argv.
[ldap2pg.config       DEBUG] Read version from YAML.
[ldap2pg.config       DEBUG] Read ldap:uri from YAML.
[ldap2pg.config       DEBUG] Read ldap:binddn from YAML.
[ldap2pg.config       DEBUG] Read ldap:password from YAML.
[ldap2pg.config       DEBUG] Read postgres:dsn from YAML.
[ldap2pg.config       DEBUG] Read postgres:managed_roles_query from YAML.
[ldap2pg.config       DEBUG] Read postgres:owners_query from YAML.
[ldap2pg.config       DEBUG] Read postgres:schemas_query from YAML.
[ldap2pg.config       DEBUG] Read privileges from YAML.
[ldap2pg.config       DEBUG] Read sync_map from YAML.
[ldap2pg.config       DEBUG] Drop unused inactive privilege __default_execute_on_functions__
[ldap2pg.config       DEBUG] Drop unused inactive privilege __execute_on_all_functions__
[ldap2pg.config       DEBUG] Drop unused inactive privilege __global_default_execute_on_functions__
[ldap2pg.config       DEBUG] Configuration loaded.
[ldap2pg.script       DEBUG] Setting up LDAP client.
[ldap2pg.ldap         DEBUG] Ignoring: [Errno 2] No such file or directory: '/etc/openldap/ldap.conf'
[ldap2pg.ldap         DEBUG] Found rcfile /etc/ldap/ldap.conf.
[ldap2pg.ldap         DEBUG] Read TLS_CACERT from /etc/ldap/ldap.conf.
[ldap2pg.ldap         DEBUG] Found rcfile /home/synsuite/ldaprc.
[ldap2pg.ldap         DEBUG] Read URI from /home/synsuite/ldaprc.
[ldap2pg.ldap         DEBUG] Read BINDDN from /home/synsuite/ldaprc.
[ldap2pg.ldap         DEBUG] Ignoring: [Errno 2] No such file or directory: '/home/synsuite/.ldaprc'
[ldap2pg.ldap         DEBUG] Ignoring: [Errno 2] No such file or directory: '/home/synsuite/tmp/ldap/ldaprc'
[ldap2pg.ldap         DEBUG] Read URI from YAML.
[ldap2pg.ldap         DEBUG] Read BINDDN from YAML.
[ldap2pg.ldap         DEBUG] Read PASSWORD from YAML.
[ldap2pg.ldap          INFO] Connecting to LDAP server ldap://ldap.server.it:389.
[ldap2pg.ldap          INFO] Trying simple bind.
[ldap2pg.ldap         DEBUG] Authenticating: ldapwhoami -x -D cn=admin,dc=ldap,dc=company,dc=it -W
[ldap2pg.script       ERROR] Unhandled error:
[ldap2pg.script       ERROR] Traceback (most recent call last):
[ldap2pg.script       ERROR]   File "/usr/local/lib/python3.5/dist-packages/ldap2pg/script.py", line 37, in main
[ldap2pg.script       ERROR]     exit(synchronize(config))
[ldap2pg.script       ERROR]   File "/usr/local/lib/python3.5/dist-packages/ldap2pg/script.py", line 93, in synchronize
[ldap2pg.script       ERROR]     ldapconn = ldap.connect(**config['ldap'])
[ldap2pg.script       ERROR]   File "/usr/local/lib/python3.5/dist-packages/ldap2pg/ldap.py", line 309, in connect
[ldap2pg.script       ERROR]     conn.simple_bind_s(options['BINDDN'], options['PASSWORD'])
[ldap2pg.script       ERROR]   File "/usr/local/lib/python3.5/dist-packages/ldap2pg/ldap.py", line 257, in simple_bind_s
[ldap2pg.script       ERROR]     return self.wrapped.simple_bind_s(binddn, password)
[ldap2pg.script       ERROR]   File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 454, in simple_bind_s
[ldap2pg.script       ERROR]     msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
[ldap2pg.script       ERROR]   File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 448, in simple_bind
[ldap2pg.script       ERROR]     return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
[ldap2pg.script       ERROR]   File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 324, in _ldap_call
[ldap2pg.script       ERROR]     result = func(*args,**kwargs)
[ldap2pg.script       ERROR] TypeError: a bytes-like object is required, not 'int'
[ldap2pg.script       ERROR] Please file an issue at https://github.com/dalibo/ldap2pg/issues with full log.

Can please someone points me in the right direction? Thanks in advance!

PS: The yml file is correctly formatted on the server, but I couldn't figure it out how to paste here without losing the correct format.

ldap2pg.yml

ldap2pg.yml version: 5

postgres: managed_roles_query: | SELECT 'public' UNION SELECT DISTINCT role.rolname FROM pg_roles AS role LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid LEFT OUTER JOIN pg_roles AS ldap_roles ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid WHERE role.rolname IN ('ldap_roles', 'readers', 'writers', 'owners') OR ldap_roles.oid IS NOT NULL ORDER BY 1; owners_query: | SELECT DISTINCT role.rolname FROM pg_catalog.pg_roles AS role JOIN pg_catalog.pg_auth_members AS ms ON ms.member = role.oid JOIN pg_catalog.pg_roles AS owners ON owners.rolname = 'owners' AND owners.oid = ms.roleid ORDER BY 1; schemas_query: | SELECT nspname FROM pg_catalog.pg_namespace WHERE nspname NOT LIKE 'pg_%' AND nspname <> 'information_schema' ORDER BY 1;

ldap: uri: ldap://ldap.server.it:389 binddn: cn=admin,dc=ldap,dc=company,dc=it password: 332211

privileges: ro:

  • connect
  • select_on_tables
  • select_on_sequences
  • usage_on_schemas
  • usage_on_types

rw:

  • temporary
  • all_on_tables
  • all_on_sequences

ddl:

  • create_on_schemas

sync_map:

  • description: "Setup static roles and grants." roles:

    • names:
      • ldap_roles
      • readers options: NOLOGIN
    • name: writers parent: readers options: NOLOGIN
    • name: owners parent: writers options: NOLOGIN

    grant:

    • privilege: ro role: readers schemas: all
    • privilege: rw role: writers schema: all
    • privilege: ddl role: owners schema: all

  • description: "Query LDAP to create superusers." ldapsearch: base: ou=company,dc=ldap,dc=company,dc=it filter: "(cn=dba)" role: name: '{member.cn}' options: LOGIN SUPERUSER parent:

    • ldap_roles
    • owners comment: "From LDAP group {dn}"

  • description: "Query LDAP to create writers." ldapsearch: base: ou=groups,dc=ldap,dc=ldap2pg,dc=docker filter: "(cn=team*)" on_unexpected_dn: warn role: name: '{member.cn}' options: LOGIN parent:

    • ldap_roles
    • writers comment: 'From LDAP groupe {dn}'

  • description: "Query LDAP to create readers." ldapsearch: base: ou=groups,dc=ldap,dc=ldap2pg,dc=docker filter: " (& (cn=bi) (objectClass=*) )" role: name: '{member.cn}' options: LOGIN parent:

    • ldap_roles
    • readers

regisfso avatar Jul 12 '22 18:07 regisfso

Fun. It looks like an int password in yaml breaks ldap2pg. The workaround is to quote the password. Can you confirm this ?

bersace avatar Jul 13 '22 14:07 bersace

Hi @bersace I removed all the "ldap:" part of the yaml. And I configured the "/etc/ldap/ldap.conf" with "BASE" and "URI" and removed "ldaprc" file. After that, it worked correctly.

regisfso avatar Jul 13 '22 14:07 regisfso

Thanks for the feedback. I'm reopening to provide a better error in such case.

bersace avatar Jul 13 '22 14:07 bersace