v10.17 (build: May 28 2024)

LDAP for PostgreSQL

In order to be able to log into the PostgreSQL database with logins from AD (via LDAP), you need to make a number of settings.

On the LDAP server (usually a domain controller):
For an unsecured connection, it is enough to open the TCP 389 port, for a secure (LDAPS) - TCP 636 and install an SSL certificate (not considered here).

In the "pg_hba.conf" file of SQL-server:
First of all, you need to allow non-domain users to login with a SQL password (for compatibility), and critical important to do this for the internal server user of the complex stkhintuser. You can also leave the login postgres and others.
For all other users, LDAP integration must be enabled. Accordingly, the order of the lines matters!
Below is an example:
# TYPE  DATABASE        USER            ADDRESS                 METHOD

# postgres login:
host    all             postgres        0.0.0.0/0               scram-sha-256
host    all             postgres        ::/0                    scram-sha-256

# internal user login:
host    stkh            stkhintuser     0.0.0.0/0               scram-sha-256
host    stkh            stkhintuser     ::/0                    scram-sha-256

# for LDAP (non-secure):
host    all             all             0.0.0.0/0               ldap ldapserver="dc1.mydomain.company.org" ldapprefix=""
host    all             all             ::/0                    ldap ldapserver="dc1.mydomain.company.org" ldapprefix=""

# for LDAPS (SSL-secured), option 1:
host    all             all             0.0.0.0/0               ldap ldapserver="dc1.mydomain.company.org" ldapprefix="" ldaptls=1
host    all             all             ::/0                    ldap ldapserver="dc1.mydomain.company.org" ldapprefix="" ldaptls=1

# for LDAPS (SSL-secured), or alternate option 2:
host    all             all             0.0.0.0/0               ldap ldapserver="dc1.mydomain.company.org" ldapprefix="" ldapscheme=ldaps
host    all             all             ::/0                    ldap ldapserver="dc1.mydomain.company.org" ldapprefix="" ldapscheme=ldaps
After changing the settings, you need to restart the SQL server service!
Next, to log in, you need to use the username in the format NETBIOS_DOMAIN\username (for example, MYDOMAIN\john.smith for the domain mydomain.company.org)

© Scopd