Getting errors when I try to run the program, need help setting it up
I need help writing my ldap2pg.yml
Hi everyone, I'm new to LDAP and I'm trying to understand and apply ldap2pg into my company.
We have over 300 servers running PostgreSQL and we want to be able to include and delete roles into all of those servers as needed.
I'm trying to follow the documentation on the website, but I'm struggling a little.
I want to use the LDAP over TCP mode, and login as cn=admin.
If I run the ldapwhoami -x -D cn=admin,dc=ldap,dc=company,dc=it -W in the postgres server, it asks me to put the password, and the execution proceeds correctly.
Running echo $LDAPPASSWORD gives my password too.
There is a ldaprc file with "URI" and "BINDDN" values.
I'm using the https://github.com/dalibo/ldap2pg/blob/master/ldap2pg.yml as a base, and a modified little things to test it, but I'm getting errors:
ldap2pg -v
[ldap2pg.config INFO] Starting ldap2pg 5.8.
[ldap2pg.config DEBUG] Trying ./ldap2pg.yml.
[ldap2pg.config INFO] Using /home/synsuite/tmp/ldap/ldap2pg.yml.
[ldap2pg.config DEBUG] Read verbosity from argv.
[ldap2pg.config DEBUG] Read version from YAML.
[ldap2pg.config DEBUG] Read ldap:uri from YAML.
[ldap2pg.config DEBUG] Read ldap:binddn from YAML.
[ldap2pg.config DEBUG] Read ldap:password from YAML.
[ldap2pg.config DEBUG] Read postgres:dsn from YAML.
[ldap2pg.config DEBUG] Read postgres:managed_roles_query from YAML.
[ldap2pg.config DEBUG] Read postgres:owners_query from YAML.
[ldap2pg.config DEBUG] Read postgres:schemas_query from YAML.
[ldap2pg.config DEBUG] Read privileges from YAML.
[ldap2pg.config DEBUG] Read sync_map from YAML.
[ldap2pg.config DEBUG] Drop unused inactive privilege __default_execute_on_functions__
[ldap2pg.config DEBUG] Drop unused inactive privilege __execute_on_all_functions__
[ldap2pg.config DEBUG] Drop unused inactive privilege __global_default_execute_on_functions__
[ldap2pg.config DEBUG] Configuration loaded.
[ldap2pg.script DEBUG] Setting up LDAP client.
[ldap2pg.ldap DEBUG] Ignoring: [Errno 2] No such file or directory: '/etc/openldap/ldap.conf'
[ldap2pg.ldap DEBUG] Found rcfile /etc/ldap/ldap.conf.
[ldap2pg.ldap DEBUG] Read TLS_CACERT from /etc/ldap/ldap.conf.
[ldap2pg.ldap DEBUG] Found rcfile /home/synsuite/ldaprc.
[ldap2pg.ldap DEBUG] Read URI from /home/synsuite/ldaprc.
[ldap2pg.ldap DEBUG] Read BINDDN from /home/synsuite/ldaprc.
[ldap2pg.ldap DEBUG] Ignoring: [Errno 2] No such file or directory: '/home/synsuite/.ldaprc'
[ldap2pg.ldap DEBUG] Ignoring: [Errno 2] No such file or directory: '/home/synsuite/tmp/ldap/ldaprc'
[ldap2pg.ldap DEBUG] Read URI from YAML.
[ldap2pg.ldap DEBUG] Read BINDDN from YAML.
[ldap2pg.ldap DEBUG] Read PASSWORD from YAML.
[ldap2pg.ldap INFO] Connecting to LDAP server ldap://ldap.server.it:389.
[ldap2pg.ldap INFO] Trying simple bind.
[ldap2pg.ldap DEBUG] Authenticating: ldapwhoami -x -D cn=admin,dc=ldap,dc=company,dc=it -W
[ldap2pg.script ERROR] Unhandled error:
[ldap2pg.script ERROR] Traceback (most recent call last):
[ldap2pg.script ERROR] File "/usr/local/lib/python3.5/dist-packages/ldap2pg/script.py", line 37, in main
[ldap2pg.script ERROR] exit(synchronize(config))
[ldap2pg.script ERROR] File "/usr/local/lib/python3.5/dist-packages/ldap2pg/script.py", line 93, in synchronize
[ldap2pg.script ERROR] ldapconn = ldap.connect(**config['ldap'])
[ldap2pg.script ERROR] File "/usr/local/lib/python3.5/dist-packages/ldap2pg/ldap.py", line 309, in connect
[ldap2pg.script ERROR] conn.simple_bind_s(options['BINDDN'], options['PASSWORD'])
[ldap2pg.script ERROR] File "/usr/local/lib/python3.5/dist-packages/ldap2pg/ldap.py", line 257, in simple_bind_s
[ldap2pg.script ERROR] return self.wrapped.simple_bind_s(binddn, password)
[ldap2pg.script ERROR] File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 454, in simple_bind_s
[ldap2pg.script ERROR] msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
[ldap2pg.script ERROR] File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 448, in simple_bind
[ldap2pg.script ERROR] return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
[ldap2pg.script ERROR] File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 324, in _ldap_call
[ldap2pg.script ERROR] result = func(*args,**kwargs)
[ldap2pg.script ERROR] TypeError: a bytes-like object is required, not 'int'
[ldap2pg.script ERROR] Please file an issue at https://github.com/dalibo/ldap2pg/issues with full log.
Can please someone points me in the right direction? Thanks in advance!
PS: The yml file is correctly formatted on the server, but I couldn't figure it out how to paste here without losing the correct format.
ldap2pg.yml
ldap2pg.yml
version: 5postgres: managed_roles_query: | SELECT 'public' UNION SELECT DISTINCT role.rolname FROM pg_roles AS role LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid LEFT OUTER JOIN pg_roles AS ldap_roles ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid WHERE role.rolname IN ('ldap_roles', 'readers', 'writers', 'owners') OR ldap_roles.oid IS NOT NULL ORDER BY 1; owners_query: | SELECT DISTINCT role.rolname FROM pg_catalog.pg_roles AS role JOIN pg_catalog.pg_auth_members AS ms ON ms.member = role.oid JOIN pg_catalog.pg_roles AS owners ON owners.rolname = 'owners' AND owners.oid = ms.roleid ORDER BY 1; schemas_query: | SELECT nspname FROM pg_catalog.pg_namespace WHERE nspname NOT LIKE 'pg_%' AND nspname <> 'information_schema' ORDER BY 1;
ldap: uri: ldap://ldap.server.it:389 binddn: cn=admin,dc=ldap,dc=company,dc=it password: 332211
privileges: ro:
- connect
- select_on_tables
- select_on_sequences
- usage_on_schemas
- usage_on_types
rw:
- temporary
- all_on_tables
- all_on_sequences
ddl:
- create_on_schemas
sync_map:
-
description: "Setup static roles and grants." roles:
- names:
- ldap_roles
- readers options: NOLOGIN
- name: writers parent: readers options: NOLOGIN
- name: owners parent: writers options: NOLOGIN
grant:
- privilege: ro role: readers schemas: all
- privilege: rw role: writers schema: all
- privilege: ddl role: owners schema: all
- names:
-
description: "Query LDAP to create superusers." ldapsearch: base: ou=company,dc=ldap,dc=company,dc=it filter: "(cn=dba)" role: name: '{member.cn}' options: LOGIN SUPERUSER parent:
- ldap_roles
- owners comment: "From LDAP group {dn}"
-
description: "Query LDAP to create writers." ldapsearch: base: ou=groups,dc=ldap,dc=ldap2pg,dc=docker filter: "(cn=team*)" on_unexpected_dn: warn role: name: '{member.cn}' options: LOGIN parent:
- ldap_roles
- writers comment: 'From LDAP groupe {dn}'
-
description: "Query LDAP to create readers." ldapsearch: base: ou=groups,dc=ldap,dc=ldap2pg,dc=docker filter: " (& (cn=bi) (objectClass=*) )" role: name: '{member.cn}' options: LOGIN parent:
- ldap_roles
- readers
Fun. It looks like an int password in yaml breaks ldap2pg. The workaround is to quote the password. Can you confirm this ?
Hi @bersace I removed all the "ldap:" part of the yaml. And I configured the "/etc/ldap/ldap.conf" with "BASE" and "URI" and removed "ldaprc" file. After that, it worked correctly.
Thanks for the feedback. I'm reopening to provide a better error in such case.