NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitf68d85b

committed

ldapurl is supported with simple bind

The docs currently imply that ldapurl is for search+bind only, butthat's not true. Rearrange the docs to cover this better.Add a test ldapurl with simple bind. This was previously allowed butunexercised, and now that it's documented it'd be good to pin thebehavior.Improve error when mixing LDAP bind modes. The option names had gonestale; replace them with a more general statement.Author: Jacob Champion <jacob.champion@enterprisedb.com>Discussion:https://www.postgresql.org/message-id/flat/CAOYmi+nyg9gE0LeP=xQ3AgyQGR=5ZZMkVVbWd0uR8XQmg_dd5Q@mail.gmail.com

1 parent935e675 commitf68d85bCopy full SHA for f68d85b

File tree

3 files changed

+38

-5

lines changed

doc/src/sgml
- client-auth.sgml
src
- backend/libpq
  - hba.c
- test/ldap/t
  - 001_auth.pl

3 files changed

+38

-5

lines changed

`‎doc/src/sgml/client-auth.sgml`

Lines changed: 20 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1910,13 +1910,19 @@ omicron bryanh guest1`
`1910`	`1910`	`</para>`
`1911`	`1911`	`</listitem>`
`1912`	`1912`	`</varlistentry>`
	`1913`	`+ </variablelist>`
	`1914`	`+ </para>`
	`1915`	`+`
	`1916`	`+ <para>`
	`1917`	`+ The following option may be used as an alternative way to write some of the`
	`1918`	`+ above LDAP options in a more compact and standard form:`
	`1919`	`+ <variablelist>`
`1913`	`1920`	`<varlistentry>`
`1914`	`1921`	`<term><literal>ldapurl</literal></term>`
`1915`	`1922`	`<listitem>`
`1916`	`1923`	`<para>`
`1917`	`1924`	`An <ulink url="https://datatracker.ietf.org/doc/html/rfc4516">RFC 4516</ulink>`
`1918`		`- LDAP URL. This is an alternative way to write some of the`
`1919`		`- other LDAP options in a more compact and standard form. The format is`
	`1925`	`+ LDAP URL. The format is`
`1920`	`1926`	`<synopsis>`
`1921`	`1927`	`ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>][?[<replaceable>filter</replaceable>]]]]`
`1922`	`1928`	`</synopsis>`
`@@ -1958,7 +1964,8 @@ ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<rep`
`1958`	`1964`
`1959`	`1965`	`<para>`
`1960`	`1966`	`It is an error to mix configuration options for simple bind with options`
`1961`		`- for search+bind.`
	`1967`	`+ for search+bind. To use <literal>ldapurl</literal> in simple bind mode, the`
	`1968`	`+ URL must not contain a <literal>basedn</literal> or query elements.`
`1962`	`1969`	`</para>`
`1963`	`1970`
`1964`	`1971`	`<para>`
`@@ -1994,6 +2001,16 @@ host ... ldap ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=exam`
`1994`	`2001`	`succeeds, the database access is granted.`
`1995`	`2002`	`</para>`
`1996`	`2003`
	`2004`	`+ <para>`
	`2005`	`+ Here is a different simple-bind configuration, which uses the LDAPS scheme`
	`2006`	`+ and a custom port number, written as a URL:`
	`2007`	`+<programlisting>`
	`2008`	`+host ... ldap ldapurl="ldaps://ldap.example.net:49151" ldapprefix="cn=" ldapsuffix=", dc=example, dc=net"`
	`2009`	`+</programlisting>`
	`2010`	`+ This is slightly more compact than specifying <literal>ldapserver</literal>,`
	`2011`	`+ <literal>ldapscheme</literal>, and <literal>ldapport</literal> separately.`
	`2012`	`+ </para>`
	`2013`	`+`
`1997`	`2014`	`<para>`
`1998`	`2015`	`Here is an example for a search+bind configuration:`
`1999`	`2016`	`<programlisting>`

`‎src/backend/libpq/hba.c`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1907,10 +1907,10 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)`
`1907`	`1907`	`{`
`1908`	`1908`	`ereport(elevel,`
`1909`	`1909`	`(errcode(ERRCODE_CONFIG_FILE_ERROR),`
`1910`		`-errmsg("cannotuse ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"),`
	`1910`	`+errmsg("cannotmix options for simple bind and search+bind modes"),`
`1911`	`1911`	`errcontext("line %d of configuration file \"%s\"",`
`1912`	`1912`	`line_num,file_name)));`
`1913`		`-*err_msg="cannotuse ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix";`
	`1913`	`+*err_msg="cannotmix options for simple bind and search+bind modes";`
`1914`	`1914`	`returnNULL;`
`1915`	`1915`	`}`
`1916`	`1916`	`}`

`‎src/test/ldap/t/001_auth.pl`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,22 @@ sub test_access`
`145`	`145`
`146`	`146`	`note"LDAP URLs";`
`147`	`147`
	`148`	`+unlink($node->data_dir .'/pg_hba.conf');`
	`149`	`+$node->append_conf('pg_hba.conf',`
	`150`	`+qq{local all all ldap ldapurl="$ldap_url" ldapprefix="uid=" ldapsuffix=",dc=example,dc=net"}`
	`151`	`+);`
	`152`	`+$node->restart;`
	`153`	`+`
	`154`	`+$ENV{"PGPASSWORD"} ='wrong';`
	`155`	`+test_access($node,'test0', 2,`
	`156`	`+'simple bind with LDAP URL authentication fails if user not found in LDAP'`
	`157`	`+);`
	`158`	`+test_access($node,'test1', 2,`
	`159`	`+'simple bind with LDAP URL authentication fails with wrong password');`
	`160`	`+$ENV{"PGPASSWORD"} ='secret1';`
	`161`	`+test_access($node,'test1', 0,`
	`162`	`+'simple bind with LDAP URL authentication succeeds');`
	`163`	`+`
`148`	`164`	`unlink($node->data_dir .'/pg_hba.conf');`
`149`	`165`	`$node->append_conf('pg_hba.conf',`
`150`	`166`	`qq{local all all ldap ldapurl="$ldap_url/$ldap_basedn?uid?sub"});`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf68d85b

File tree

3 files changed

3 files changed

`‎doc/src/sgml/client-auth.sgml`

`‎src/backend/libpq/hba.c`

`‎src/test/ldap/t/001_auth.pl`

0 commit comments