1- <!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.124 2009/10/01 01:58:57 tgl Exp $ -->
1+ <!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.125 2009/12/12 21:35:21 mha Exp $ -->
22
33<chapter id="client-authentication">
44 <title>Client Authentication</title>
@@ -1202,14 +1202,32 @@ omicron bryanh guest1
12021202 </para>
12031203
12041204 <para>
1205- The server will bind to the distinguished name constructed as
1205+ LDAP authentication can operate in two modes. In the first mode,
1206+ the server will bind to the distinguished name constructed as
12061207 <replaceable>prefix</> <replaceable>username</> <replaceable>suffix</>.
12071208 Typically, the <replaceable>prefix</> parameter is used to specify
12081209 <literal>cn=</>, or <replaceable>DOMAIN</><literal>\</> in an Active
12091210 Directory environment. <replaceable>suffix</> is used to specify the
12101211 remaining part of the DN in a non-Active Directory environment.
12111212 </para>
12121213
1214+ <para>
1215+ In the second mode, the server first binds to the LDAP directory with
1216+ a fixed username and password, specified with <replaceable>ldapbinduser</>
1217+ and <replaceable>ldapbinddn</>, and performs a search for the user trying
1218+ to log in to the database. If no user and password is configured, an
1219+ anonymous bind will be attempted to the directory. The search will be
1220+ performed over the subtree at <replaceable>ldapbasedn</>, and will try to
1221+ do an exact match of the attribute specified in
1222+ <replaceable>ldapsearchattribute</>. If no attribute is specified, the
1223+ <literal>uid</> attribute will be used. Once the user has been found in
1224+ this search, the server disconnects and re-binds to the directory as
1225+ this user, using the password specified by the client, to verify that the
1226+ login is correct. This method allows for significantly more flexibility
1227+ in where the user objects are located in the directory, but will cause
1228+ two separate connections to the LDAP server to be made.
1229+ </para>
1230+
12131231 <para>
12141232 The following configuration options are supported for LDAP:
12151233 <variablelist>
@@ -1221,42 +1239,80 @@ omicron bryanh guest1
12211239 </para>
12221240 </listitem>
12231241 </varlistentry>
1242+ <varlistentry>
1243+ <term><literal>ldapport</literal></term>
1244+ <listitem>
1245+ <para>
1246+ Port number on LDAP server to connect to. If no port is specified,
1247+ the default port in the LDAP library will be used.
1248+ </para>
1249+ </listitem>
1250+ </varlistentry>
1251+ <varlistentry>
1252+ <term><literal>ldaptls</literal></term>
1253+ <listitem>
1254+ <para>
1255+ Set to <literal>1</> to make the connection between PostgreSQL and the
1256+ LDAP server use TLS encryption. Note that this only encrypts
1257+ the traffic to the LDAP server — the connection to the client
1258+ will still be unencrypted unless SSL is used.
1259+ </para>
1260+ </listitem>
1261+ </varlistentry>
12241262 <varlistentry>
12251263 <term><literal>ldapprefix</literal></term>
12261264 <listitem>
12271265 <para>
1228- String to prepend to the username when forming the DN to bind as.
1266+ String to prepend to the username when forming the DN to bind as,
1267+ when doing simple bind authentication.
12291268 </para>
12301269 </listitem>
12311270 </varlistentry>
12321271 <varlistentry>
12331272 <term><literal>ldapsuffix</literal></term>
12341273 <listitem>
12351274 <para>
1236- String to append to the username when forming the DN to bind as.
1275+ String to append to the username when forming the DN to bind as,
1276+ when doing simple bind authentication.
12371277 </para>
12381278 </listitem>
12391279 </varlistentry>
12401280 <varlistentry>
1241- <term><literal>ldapport </literal></term>
1281+ <term><literal>ldapbasedn </literal></term>
12421282 <listitem>
12431283 <para>
1244- Port number on LDAP server to connect to. If no port is specified,
1245- the default port in the LDAP library will be used .
1284+ DN to root the search for the user in, when doing search+bind
1285+ authentication .
12461286 </para>
12471287 </listitem>
12481288 </varlistentry>
12491289 <varlistentry>
1250- <term><literal>ldaptls </literal></term>
1290+ <term><literal>ldapbinddn </literal></term>
12511291 <listitem>
12521292 <para>
1253- Set to <literal>1</> to make the connection between PostgreSQL and the
1254- LDAP server use TLS encryption. Note that this only encrypts
1255- the traffic to the LDAP server — the connection to the client
1256- will still be unencrypted unless SSL is used.
1293+ DN of user to bind to the directory with to perform the search when
1294+ doing search+bind authentication.
12571295 </para>
12581296 </listitem>
12591297 </varlistentry>
1298+ <varlistentry>
1299+ <term><literal>ldapbindpasswd</literal></term>
1300+ <listitem>
1301+ <para>
1302+ Password for user to bind to the directory with to perform the search
1303+ when doing search+bind authentication.
1304+ </para>
1305+ </listitem>
1306+ </varlistentry>
1307+ <varlistentry>
1308+ <term><literal>ldapsearchattribute</literal></term>
1309+ <listitem>
1310+ <para>
1311+ Attribute to match against the username in the search when doing
1312+ search+bind authentication.
1313+ </para>
1314+ </listitem>
1315+ </varlistentry>
12601316 </variablelist>
12611317 </para>
12621318