Use LDAP store PostgreSQL Connection parameter & client use it with .pg_service.conf

前面几篇BLOG谈了一下PostgreSQL的用户密码认证可以通过LDAP 来做AUTH.

客户端提交用户和密码,

PostgreSQL server根据提供客户端的用户, 以及pg_hba.conf中的配置, 到LDAP server查找匹配条目.

如果找到了匹配的话, 根据客户端提供的密码在LDAP server进行认证.

客户端只和PostgreSQL server交互, 认证部分由PostgreSQL server和LDAP server完成. 所以PostgreSQL server编译时需要--with-ldap.

本文要讲的是LDAP的另一个用法, 用来存储客户端连接数据库的连接信息.

例如psql -h 172.16.3.150 -p 1818 -U digoal -d digoal

这里的-h 172.16.3.150 -p 1818 -U digoal -d digoal 存储到LDAP里面.

客户端psql通过LDAP获取到连接信息后再去连接数据库, 因此这里的客户端需要配置--with-ldap, 而服务端不需要.

首先将连接信息导入LDAP, 这里用到core.schema里面的objectclass groupOfUniqueNames, 因为连接信息存储多个, 所以存储到description中, uniqueMember存储1项即可.

[root@db-172-16-3-150 ~]# cat digoal_db.ldif
dn: cn=digoal,ou=People,dc=my-domain,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: digoal
description: sslmode=allow
description: user=digoal
description: dbname=digoal
description: port=1818
description: host=172.16.3.150
uniqueMember: host=172.16.3.150

[root@db-172-16-3-150 ~]# ldapadd -vv -x -w 123321 -D "cn=Manager,dc=my-domain,dc=com" -f digoal_db.ldif
ldap_initialize( <DEFAULT> )
add objectclass:
        top
        groupOfUniqueNames
add cn:
        digoal
add description:
        sslmode=allow
        user=digoal
        dbname=digoal
        port=1818
        host=172.16.3.150
add uniqueMember:
        host=172.16.3.150
adding new entry "cn=digoal,ou=People,dc=my-domain,dc=com"
modify complete

查找这个DN正常.

[root@db-172-16-3-150 ~]# slapcat -s "cn=digoal,ou=People,dc=my-domain,dc=com"
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=my-domain,dc=com".
dn: cn=digoal,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: digoal
description: sslmode=allow
description: user=digoal
description: dbname=digoal
description: port=1818
description: host=172.16.3.150
uniqueMember: host=172.16.3.150
structuralObjectClass: groupOfUniqueNames
entryUUID: 2119866a-848b-1033-8f3c-c1c6b9bc50eb
creatorsName: cn=Manager,dc=my-domain,dc=com
createTimestamp: 20140610013437Z
entryCSN: 20140610013437.788394Z#000000#000#000000
modifiersName: cn=Manager,dc=my-domain,dc=com
modifyTimestamp: 20140610013437Z

修改数据库的pg_hba.conf, 允许客户端连接

cd $PGDATA
vi pg_hba.conf
host all all 0.0.0.0/0 md5
pg_ctl reload

查看客户端是否加了--with-ldap配置项.

pg93@db-172-16-3-39-> pg_config --configure

'--prefix=/home/pg93/pgsql9.3.1' '--with-pgport=1999' '--with-perl' '--with-tcl' '--with-python' '--with-openssl' '--with-pam' '--with-ldap' '--with-libxml' '--with-libxslt' '--enable-thread-safety' '--with-wal-blocksize=16' '--enable-dtrace' '--enable-debug'

配置~/.pg_service.conf, 注意格式,  ldap://host:port/dn?attributes?scope?filter?extensions 

pg93@db-172-16-3-39-> cat .pg_service.conf
[mydb]
ldap://172.16.3.150:389/cn=digoal,ou=People,dc=my-domain,dc=com?description?sub?cn=digoal

使用psql连接, 会先到LDAPserver找到attributes的值作为连接项, 连接到目标数据库.

pg93@db-172-16-3-39-> psql service=mydb
Password:
psql (9.3.1)
Type "help" for help.
digoal=> 

如果客户端未配置--with-ldap, 那么在.pg_service.conf中使用ldap uri是会报语法错误的.

pg94@db-172-16-3-39-> pg_config --configure
'--prefix=/home/pg94/pgsql9.4devel' '--with-pgport=2999' '--with-perl' '--with-tcl' '--with-python' '--with-openssl' '--with-pam' '--without-ldap' '--with-libxml' '--with-libxslt' '--enable-thread-safety' '--with-wal-blocksize=16' '--enable-dtrace'
pg94@db-172-16-3-39-> cat .pg_service.conf
[mydb]
ldap://172.16.3.150:389/cn=digoal,ou=People,dc=my-domain,dc=com?description?sub?cn=digoal
pg94@db-172-16-3-39-> psql service=mydb
psql: syntax error in service file "/home/pg94/.pg_service.conf", line 2

在LDAP server中存储数据库的连接信息, 对于需要修改数据库连接配置的场景, 只需要修改LDAP, 而不需要修改客户端的配置, 方便管理.

[参考]
1. http://blog.163.com/digoal@126/blog/static/16387704020145953644535/

2. http://blog.163.com/digoal@126/blog/static/16387704020145914717111/

3. http://blog.163.com/digoal@126/blog/static/1638770402014563264469/

4. src/interfaces/libpq/fe-connect.c

/*
 *              ldapServiceLookup
 *
 * Search the LDAP URL passed as first argument, treat the result as a
 * string of connection options that are parsed and added to the array of
 * options passed as second argument.
 *
 * LDAP URLs must conform to RFC 1959 without escape sequences.
 *      ldap://host:port/dn?attributes?scope?filter?extensions
 *
 * Returns
 *      0 if the lookup was successful,
 *      1 if the connection to the LDAP server could be established but
 *        the search was unsuccessful,
 *      2 if a connection could not be established, and
 *      3 if a fatal error occurred.
 *
 * An error message is returned in the third argument for return codes 1 and 3.
 */
static int
ldapServiceLookup(const char *purl, PQconninfoOption *options,
                                  PQExpBuffer errorMessage)
{
        int                     port = LDAP_DEF_PORT,
                                scope,
                                rc,
                                msgid,
                                size,
                                state,
                                oldstate,
                                i;
        bool            found_keyword;
        char       *url,
                           *hostname,
                           *portstr,
                           *endptr,
                           *dn,
                           *scopestr,