[bitnami/postgresql] Postgres LDAP does not create role by it's own

[Diegunio]

Name and Version

bitnami/postgresql:16.4.0

What architecture are you using?

amd64

What steps will reproduce the bug?

1. base configuration
2. add provider to your ldap(AD in my case)
3. Attempt to log in with LDAP account

What is the expected behavior?

LDAP user's role is created by it's own

What do you see instead?

connection failed: connection to server at "192.168.215.1", port 5432 failed: FATAL: role "name.lastname" does not exist

Additional information

No response

[javsalgar]

Hi,

Could you provide us with a docker-compose that clearly reproduces the issue? We need to understand whether it is an issue in the Bitnami packaging of PostgreSQL or in PostgreSQL itself.

[Diegunio]

Hi, the origin of this issue comes form using helm chart, but I was able to reproduce it with very basic container configuration. Here's my podman run command

I'm sure LDAP works as expected

podman run -d \
  -e POSTGRESQL_PASSWORD="postgres" \
  -e POSTGRESQL_ENABLE_LDAP="yes" \
  -e POSTGRESQL_LDAP_SERVER="10.10.0.11" \
  -e POSTGRESQL_LDAP_PORT="389" \
  -e POSTGRESQL_LDAP_BASE_DN="OU=team,OU=city,DC=office,DC=example,DC=com" \
  -e POSTGRESQL_LDAP_BIND_DN="CN=user,OU=technical,OU=city,DC=office,DC=example,DC=com" \
  -e POSTGRESQL_LDAP_BIND_PASSWORD="mysecretpwd" \
  -e POSTGRESQL_LDAP_SEARCH_ATTR="sAMAccountName" \
  -p 5432:5432 \
  docker.io/bitnami/postgresql:16.4.0-debian-12-r2

[migruiz4]

Hi @Diegunio,

As far as I know, the LDAP settings do not create roles and databases for the users in your LDAP server.
LDAP settings will be added to your pg_hba.conf, but manual action to create users and grant privileges is still required as described in this guide: https://goteleport.com/learn/postgresql-ldap-authentication/

I used this sample scenario:

services:
  ldap-server:
    image: ghcr.io/rroemhild/docker-test-openldap:master
  postgresql:
    image: docker.io/bitnami/postgresql:17
    environment:
      - POSTGRESQL_PASSWORD=postgres
      - POSTGRESQL_ENABLE_LDAP=yes
      - POSTGRESQL_LDAP_SERVER=ldap-server
      - POSTGRESQL_LDAP_PORT=10389
      - POSTGRESQL_LDAP_BASE_DN=ou=people,dc=planetexpress,dc=com
      - POSTGRESQL_LDAP_BIND_DN=cn=admin,dc=planetexpress,dc=com
      - POSTGRESQL_LDAP_BIND_PASSWORD=GoodNewsEveryone
      - POSTGRESQL_LDAP_SEARCH_ATTR=uid
  client:
    image: docker.io/bitnami/postgresql:17
    command:
      - 'tail'
      - '-f'
      - '/dev/null'

Until I got the same error:

psql: error: connection to server at "postgresql" (172.18.0.3), port 5432 failed: FATAL:  role "professor" does not exist

The error was fixed after I logged in as postgres user and executed the following commands:

CREATE ROLE professor WITH LOGIN;
CREATE DATABASE professor;
GRANT ALL PRIVILEGES ON DATABASE "professor" to professor;

After that, login succeeds using LDAP user password:

I have no name!@6d157e116386:/$ /opt/bitnami/scripts/postgresql/entrypoint.sh psql --host postgresql -p 5432 --username 'professor'
postgresql 14:59:46.02 INFO  ==> 
postgresql 14:59:46.02 INFO  ==> Welcome to the Bitnami postgresql container
postgresql 14:59:46.02 INFO  ==> Subscribe to project updates by watching https://github.com/bitnami/containers
postgresql 14:59:46.02 INFO  ==> Submit issues and feature requests at https://github.com/bitnami/containers/issues
postgresql 14:59:46.03 INFO  ==> Upgrade to Tanzu Application Catalog for production environments to access custom-configured and pre-packaged software components. Gain enhanced features, including Software Bill of Materials (SBOM), CVE scan result reports, and VEX documents. To learn more, visit https://bitnami.com/enterprise
postgresql 14:59:46.03 INFO  ==> 

Password for user professor: 
psql (17.0)
Type "help" for help.

professor=> 

Maybe what your use case requires some additional scripting or external tools such as pg-ldap-sync