postgresqlpgbouncer

pgbouncer does not start with ldap

I am trying to setup pgbouncer with ldap to connect with rds postgres. Downloaded latest version of pbbouncer (1.11) and using hba auth_type. Getting below error when starting pgbouncer daemon. Am I missing something?

[centos@ip-x.x.x.x etc]$ pgbouncer -V
PgBouncer version 1.11.0
[centos@ip-x.x.x.x etc]$ cat pg_hba.conf 
host all user1 0.0.0.0/0 md5
host all all     0.0.0.0/0 ldap ldapserver=ldap-server.com ldapprefix="cn=" ldapsuffix=", dc=group, dc=com"

[centos@ip-x.x.x.x etc]$ cat pgbouncer.ini | grep -v '^$' | grep -v '^;' 
[databases]
db1 = host=xxx.rds.amazonaws.com port=5439 dbname=db1
[users]
[pgbouncer]
logfile = /var/log/pgbouncer/pgbouncer.log
pidfile = /var/run/pgbouncer/pgbouncer.pid
listen_addr = *
listen_port = 5439
auth_type = hba
auth_file = /home/centos/pgbouncer-1.11.0/etc/userlist.txt
auth_hba_file = /home/centos/pgbouncer-1.11.0/etc/pg_hba.conf

[centos@ip-x.x.x.x etc]$  pgbouncer -d pgbouncer.ini
2019-09-09 06:57:54.447 UTC [9465] WARNING hba line 2: unsupported method: buf=ldap
2019-09-09 06:57:54.448 UTC [9465] WARNING could not parse hba config line 2
Solution

  • The PgBouncer documentation says:

    Auth-method field: Only methods supported by PgBouncer's auth_type are supported, except any and pam, which only work globally. Username map (map=) parameter is not supported.

    And the documentation of auth_type says:

    auth_type

    How to authenticate users.

    pam:
    PAM is used to authenticate users, auth_file is ignored. This method is not compatible with databases using auth_user option. Service name reported to PAM is “pgbouncer”. Also, pam is still not supported in HBA configuration file.

    hba:
    Actual auth type is loaded from auth_hba_file. This allows different authentication methods different access paths. Example: connection over Unix socket use peer auth method, connection over TCP must use TLS. Supported from version 1.7 onwards.

    cert:
    Client must connect over TLS connection with valid client cert. Username is then taken from CommonName field from certificate.

    md5:
    Use MD5-based password check. This is the default authentication method. auth_file may contain both MD5-encrypted or plain-text passwords. If md5 is configured and a user has a SCRAM secret, then SCRAM authentication is used automatically instead.

    scram-sha-256:
    Use password check with SCRAM-SHA-256. auth_file has to contain SCRAM secrets or plain-text passwords. Note that SCRAM secrets can only be used for verifying the password of a client but not for logging into a server. To be able to use SCRAM on server connections, use plain-text passwords.

    plain:
    Clear-text password is sent over wire. Deprecated.

    trust:
    No authentication is done. Username must still exist in auth_file.

    any:
    Like the trust method, but the username given is ignored. Requires that all databases are configured to log in as specific user. Additionally, the console database allows any user to log in as admin.

    So the ldap authentication method is not supported, which explains your error.

    You can try to use pam instead and the pam_ldap plugin.