Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with retry/fallback to simplier auth from LDAP (ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION) #2246

Open
anselvo opened this issue Jan 30, 2025 · 6 comments
Open

Problem with retry/fallback to simplier auth from LDAP (ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION) #2246

anselvo opened this issue Jan 30, 2025 · 6 comments
Labels
bug help wanted

Comments

@anselvo
Copy link

anselvo commented Jan 30, 2025

Describe the bug
Hello everyone find this issue. When I was trying to understand why this driver behave differently from what we have in jdbc, as I understand libpq should have same behaviour as menssioned above. The problem that this ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION should make a fallback, because when you connect via LDAP and configure LDAP settings in pg_hba.conf Go driver doesn't fallback whereas other do. Can we fix it? I want to have default behavior when I use driver.

The error: server error: FATAL: LDAP authentication failed for user "postgres" (SQLSTATE 28000)

Expected behavior
fallback without auth to LDAP, should work the same as in the official C driver
@anselvo anselvo added the bug label Jan 30, 2025
@jackc
Copy link
Owner

jackc commented Feb 2, 2025

Is the problem actually with the fallback logic? Or is it that pgx doesn't support LDAP at all?

@anselvo
Copy link
Author

anselvo commented Feb 2, 2025
edited
Loading

The problem is in fall back for sure. I send only login and password to postgres I'm not sure how pgx can support ldap. My pg_hba configured as

hostssl ldap
host      md5

And it should fall back to md5 when ldap returns unauthorized, but it doesn't when in other drivers it does

@felix-roehrich
Copy link
Contributor

I looked through the psql/libpq code and couldn't find anything where there would be a retry with a different auth method if LDAP failed; maybe I have overlooked something. Are you sure that other drivers are falling back and not relying on an LDAP configuration in pg_service.conf?

@anselvo
Copy link
Author

anselvo commented Feb 6, 2025

I've tested java driver first and then I tried C driver as well just to be sure that java and C have same behaviour and they do. But I wasn't checking C libs, as I understand it just should try to connect to any of pg_hba available connections. So if I have first LDAP as SSL it should try to connect first via this one, but after that it should try to connect via NON-SSL right? and there is no LDAP setup and only md5.

I believe if we remove this error check it will behave as it should.

@felix-roehrich
Copy link
Contributor

felix-roehrich commented Feb 7, 2025
edited
Loading

Since this error check was introduced as fix previously, I don't believe we should just remove it. From your comment I understand that this isn't a fallback problem related to LDAP, but rather a generic fallback problem related to SSL/non-SSL. I will investigate and try to find the difference in fallback logic between pgx and psql and make a PR.

@felix-roehrich
Copy link
Contributor

felix-roehrich commented Feb 8, 2025
edited
Loading

According to the docs (and libpq implementation):

If a connection is established successfully, but authentication fails, the remaining hosts in the list are not tried.

All encryption methods will be tried first. The current implementation using FallbackConfig/connectOneConfig cannot handle this scenario.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jackc @anselvo @felix-roehrich