pgbouncer 不以 ldap 开头
pgbouncer does not start with ldap
我正在尝试使用 ldap 设置 pgbouncer 以连接 rds postgres。下载最新版本的 pbbouncer (1.11) 并使用 hba auth_type。启动 pgbouncer 守护进程时出现以下错误。我错过了什么吗?
[centos@ip-x.x.x.x etc]$ pgbouncer -V
PgBouncer version 1.11.0
[centos@ip-x.x.x.x etc]$ cat pg_hba.conf
host all user1 0.0.0.0/0 md5
host all all 0.0.0.0/0 ldap ldapserver=ldap-server.com ldapprefix="cn=" ldapsuffix=", dc=group, dc=com"
[centos@ip-x.x.x.x etc]$ cat pgbouncer.ini | grep -v '^$' | grep -v '^;'
[databases]
db1 = host=xxx.rds.amazonaws.com port=5439 dbname=db1
[users]
[pgbouncer]
logfile = /var/log/pgbouncer/pgbouncer.log
pidfile = /var/run/pgbouncer/pgbouncer.pid
listen_addr = *
listen_port = 5439
auth_type = hba
auth_file = /home/centos/pgbouncer-1.11.0/etc/userlist.txt
auth_hba_file = /home/centos/pgbouncer-1.11.0/etc/pg_hba.conf
[centos@ip-x.x.x.x etc]$ pgbouncer -d pgbouncer.ini
2019-09-09 06:57:54.447 UTC [9465] WARNING hba line 2: unsupported method: buf=ldap
2019-09-09 06:57:54.448 UTC [9465] WARNING could not parse hba config line 2
Auth-method field: Only methods supported by PgBouncer's auth_type are supported, except any and pam, which only work globally. Username map (map=) parameter is not supported.
documentation of auth_type 表示:
auth_type
How to authenticate users.
pam:
PAM is used to authenticate users, auth_file is ignored. This method is not compatible with databases using auth_user option. Service name reported to PAM is “pgbouncer”. Also, pam is still not supported in HBA configuration file.
hba:
Actual auth type is loaded from auth_hba_file. This allows different authentication methods different access paths. Example: connection over Unix socket use peer auth method, connection over TCP must use TLS. Supported from version 1.7 onwards.
cert:
Client must connect over TLS connection with valid client cert. Username is then taken from CommonName field from certificate.
md5:
Use MD5-based password check. This is the default authentication method. auth_file may contain both MD5-encrypted or plain-text passwords. If md5 is configured and a user has a SCRAM secret, then SCRAM authentication is used automatically instead.
scram-sha-256:
Use password check with SCRAM-SHA-256. auth_file has to contain SCRAM secrets or plain-text passwords. Note that SCRAM secrets can only be used for verifying the password of a client but not for logging into a server. To be able to use SCRAM on server connections, use plain-text passwords.
plain:
Clear-text password is sent over wire. Deprecated.
trust:
No authentication is done. Username must still exist in auth_file.
any:
Like the trust method, but the username given is ignored. Requires that all databases are configured to log in as specific user. Additionally, the console database allows any user to log in as admin.
所以不支持ldap身份验证方法,这就解释了你的错误。
您可以尝试使用 pam 和 pam_ldap 插件。
我正在尝试使用 ldap 设置 pgbouncer 以连接 rds postgres。下载最新版本的 pbbouncer (1.11) 并使用 hba auth_type。启动 pgbouncer 守护进程时出现以下错误。我错过了什么吗?
[centos@ip-x.x.x.x etc]$ pgbouncer -V
PgBouncer version 1.11.0
[centos@ip-x.x.x.x etc]$ cat pg_hba.conf
host all user1 0.0.0.0/0 md5
host all all 0.0.0.0/0 ldap ldapserver=ldap-server.com ldapprefix="cn=" ldapsuffix=", dc=group, dc=com"
[centos@ip-x.x.x.x etc]$ cat pgbouncer.ini | grep -v '^$' | grep -v '^;'
[databases]
db1 = host=xxx.rds.amazonaws.com port=5439 dbname=db1
[users]
[pgbouncer]
logfile = /var/log/pgbouncer/pgbouncer.log
pidfile = /var/run/pgbouncer/pgbouncer.pid
listen_addr = *
listen_port = 5439
auth_type = hba
auth_file = /home/centos/pgbouncer-1.11.0/etc/userlist.txt
auth_hba_file = /home/centos/pgbouncer-1.11.0/etc/pg_hba.conf
[centos@ip-x.x.x.x etc]$ pgbouncer -d pgbouncer.ini
2019-09-09 06:57:54.447 UTC [9465] WARNING hba line 2: unsupported method: buf=ldap
2019-09-09 06:57:54.448 UTC [9465] WARNING could not parse hba config line 2
Auth-method field: Only methods supported by PgBouncer's
auth_typeare supported, exceptanyandpam, which only work globally. Username map (map=) parameter is not supported.
documentation of auth_type 表示:
auth_type
How to authenticate users.
pam:
PAM is used to authenticate users,auth_fileis ignored. This method is not compatible with databases usingauth_useroption. Service name reported to PAM is “pgbouncer”. Also,pamis still not supported in HBA configuration file.hba:
Actual auth type is loaded fromauth_hba_file. This allows different authentication methods different access paths. Example: connection over Unix socket usepeerauth method, connection over TCP must use TLS. Supported from version 1.7 onwards.cert:
Client must connect over TLS connection with valid client cert. Username is then taken from CommonName field from certificate.md5:
Use MD5-based password check. This is the default authentication method.auth_filemay contain both MD5-encrypted or plain-text passwords. Ifmd5is configured and a user has a SCRAM secret, then SCRAM authentication is used automatically instead.scram-sha-256:
Use password check with SCRAM-SHA-256.auth_filehas to contain SCRAM secrets or plain-text passwords. Note that SCRAM secrets can only be used for verifying the password of a client but not for logging into a server. To be able to use SCRAM on server connections, use plain-text passwords.plain:
Clear-text password is sent over wire. Deprecated.trust:
No authentication is done. Username must still exist inauth_file.any:
Like thetrustmethod, but the username given is ignored. Requires that all databases are configured to log in as specific user. Additionally, the console database allows any user to log in as admin.
所以不支持ldap身份验证方法,这就解释了你的错误。
您可以尝试使用 pam 和 pam_ldap 插件。