skip to Main Content

I am trying to enable LDAP authentication for postgres access. Here is my LDAP server which is working fine in other application with node.js

var config = {
                url: 'ldap://111.222.333.44:389/', 
                baseDN: 'DC=ad,DC=justcomp,DC=com',
                username: "itljustcomp\" + username,
                password: pswd

I have to use same LDAP for accessing postgres database. Added a new line in pg_hba.conf

host    all     all       ldap ldapserver=111.222.333.44 ldapport=389 ldaptls=1 ldapprefix=""

is this the right entry i put in pg_hba.conf file or should add "DC=ad,DC=justcomp,DC=com" also ? if yes then please tell the right format.

and trying to connect it from local machine

psql -h -U [email protected] -d postgres

where is database server IP. It prompts for the password Password for user [email protected]: but when password is entered, it fails with message

psql: error: connection to server at "", port 5432 failed: FATAL:  password authentication failed for user "[email protected]"

I am able to connect to the same database from local pgadmin through database user and password. Also tried with creating user in database create role "[email protected]" with login but that also did not work.
please suggest if something is missing here. What am I doing wrong? And is it necessary to create same user in database for every login id in LDAP ?

is this the right way to connect to database

psql -h -U [email protected] -d postgres

or it should be something else like

psql -h -U itljustcompusersam -d postgres



  1. You must be hitting a different line in pg_hba.conf otherwise the error message would be

    ERROR: LDAP authentication failed for user "..."

    Either there is an earlier line in ph_hba.conf that matches, or you didn’t reload PostgreSQL to activate the new settings, or there is a syntax error in the configuration file (check the log), or you edited the pg_hba.conf from a different cluster.

    Login or Signup to reply.
  2. The parameter ldaptls=1 means you will encrypt the traffic at the ldap layer (with StartTLS). It might not be supported or configured by your LDAP server, or Postgres probably doesn’t trust your LDAP server’s certificate.

    Sending passwords in the clear is not great, even internally. Switching to ldaptls=0 will lower the security of this connection to the same level of your Node app, and confirm that this is the actual problem.

    If it is, I suggest you proceed to upgrade your LDAP connection security to trusty old TLS for both Node and Postgres.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top