</para>

</listitem>

</varlistentry>

<varlistentry>

<term><literal>ldapurl</literal></term>

<listitem>

<para>

An RFC 4516 LDAP URL. This is an alternative way to write most of the

other LDAP options in a more compact and standard form. The format is

<synopsis>

ldap://[<replaceable>user</replaceable>[:<replaceable>password</replaceable>]@]<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>]]]

</synopsis>

<replaceable>scope</replaceable> must be one

of <literal>base</literal>, <literal>one</literal>, <literal>sub</literal>,

typically the latter. Only one attribute is used, and some other

components of standard LDAP URLs such as filters and extensions are

not supported.

</para>

<para>

To use encrypted LDAP connections, the <literal>ldaptls</literal>

option has to be used in addition to <literal>ldapurl</literal>.

The <literal>ldaps</literal> URL scheme (direct SSL connection) is not

supported.

</para>

<para>

LDAP URLs are currently only supported with OpenLDAP, not on Windows.

</para>

</listitem>

</varlistentry>

</variablelist>

</para>

If that second connection succeeds, the database access is granted.

</para>

<para>

Here is the same search+bind configuration written as a URL:

<programlisting>

host ... ldap lapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"

</programlisting>

Some other software that supports authentication against LDAP uses the

same URL format, so it will be easier to share the configuration.

</para>

<tip>

<para>

Since LDAP often uses commas and spaces to separate the different

r=ldap_search_s(ldap,

port->hba->ldapbasedn,

LDAP_SCOPE_SUBTREE,

port->hba->ldapscope,

filter,

attributes,

0,

#defineatooid(x) ((Oid) strtoul((x), NULL, 10))

#defineatoxid(x) ((TransactionId) strtoul((x), NULL, 10))

{

ereport(LOG,

(errcode(ERRCODE_CONFIG_FILE_ERROR),

errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, orldapsearchattribute together with ldapprefix"),

errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd,ldapsearchattribute,orldapurl together with ldapprefix"),

errcontext("line %d of configuration file \"%s\"",

line_num,HbaFileName)));

returnNULL;

parse_hba_auth_opt(char*name,char*val,HbaLine*hbaline,intline_num)

{

hbaline->ldapscope=LDAP_SCOPE_SUBTREE;

if (strcmp(name,"map")==0)

{

if (hbaline->auth_method!=uaIdent&&

REQUIRE_AUTH_OPTION(uaPAM,"pamservice","pam");

hbaline->pamservice=pstrdup(val);

}

elseif (strcmp(name,"ldapurl")==0)

{

LDAPURLDesc*urldata;

intrc;

REQUIRE_AUTH_OPTION(uaLDAP,"ldapurl","ldap");

rc=ldap_url_parse(val,&urldata);

if (rc!=LDAP_SUCCESS)

{

ereport(LOG,

(errcode(ERRCODE_CONFIG_FILE_ERROR),

errmsg("could not parse LDAP URL \"%s\": %s",val,ldap_err2string(rc))));

return false;

}

if (strcmp(urldata->lud_scheme,"ldap")!=0)

{

ereport(LOG,

(errcode(ERRCODE_CONFIG_FILE_ERROR),

errmsg("unsupported LDAP URL scheme: %s",urldata->lud_scheme)));

ldap_free_urldesc(urldata);

return false;

}

hbaline->ldapserver=pstrdup(urldata->lud_host);

hbaline->ldapport=urldata->lud_port;

hbaline->ldapbasedn=pstrdup(urldata->lud_dn);

if (urldata->lud_attrs)

hbaline->ldapsearchattribute=pstrdup(urldata->lud_attrs[0]);/* only use first one */

hbaline->ldapscope=urldata->lud_scope;

if (urldata->lud_filter)

{

ereport(LOG,

(errcode(ERRCODE_CONFIG_FILE_ERROR),

errmsg("filters not supported in LDAP URLs")));

ldap_free_urldesc(urldata);

return false;

}

ldap_free_urldesc(urldata);

ereport(LOG,

(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),

errmsg("LDAP URLs not supported on this platform")));

}

elseif (strcmp(name,"ldaptls")==0)

{

REQUIRE_AUTH_OPTION(uaLDAP,"ldaptls","ldap");

char*ldapbindpasswd;

char*ldapsearchattribute;

char*ldapbasedn;

intldapscope;

char*ldapprefix;

char*ldapsuffix;

boolclientcert;