diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index f1eb3b279ed..51343de7cad 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1910,13 +1910,19 @@ omicron bryanh guest1 + + + + + The following option may be used as an alternative way to write some of the + above LDAP options in a more compact and standard form: + ldapurl An RFC 4516 - LDAP URL. This is an alternative way to write some of the - other LDAP options in a more compact and standard form. The format is + LDAP URL. The format is ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]] @@ -1958,7 +1964,8 @@ ldap[s]://host[:port]/ It is an error to mix configuration options for simple bind with options - for search+bind. + for search+bind. To use ldapurl in simple bind mode, the + URL must not contain a basedn or query elements. @@ -1994,6 +2001,16 @@ host ... ldap ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=exam succeeds, the database access is granted. + + Here is a different simple-bind configuration, which uses the LDAPS scheme + and a custom port number, written as a URL: + +host ... ldap ldapurl="ldaps://ldap.example.net:49151" ldapprefix="cn=" ldapsuffix=", dc=example, dc=net" + + This is slightly more compact than specifying ldapserver, + ldapscheme, and ldapport separately. + + Here is an example for a search+bind configuration: diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 18271def2e8..75d588e36a1 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1907,10 +1907,10 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel) { ereport(elevel, (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"), + errmsg("cannot mix options for simple bind and search+bind modes"), errcontext("line %d of configuration file \"%s\"", line_num, file_name))); - *err_msg = "cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"; + *err_msg = "cannot mix options for simple bind and search+bind modes"; return NULL; } } diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl index 850db34503f..43e029921ca 100644 --- a/src/test/ldap/t/001_auth.pl +++ b/src/test/ldap/t/001_auth.pl @@ -145,6 +145,22 @@ test_access($node, 'test1', 0, 'search+bind authentication succeeds'); note "LDAP URLs"; +unlink($node->data_dir . '/pg_hba.conf'); +$node->append_conf('pg_hba.conf', + qq{local all all ldap ldapurl="$ldap_url" ldapprefix="uid=" ldapsuffix=",dc=example,dc=net"} +); +$node->restart; + +$ENV{"PGPASSWORD"} = 'wrong'; +test_access($node, 'test0', 2, + 'simple bind with LDAP URL authentication fails if user not found in LDAP' +); +test_access($node, 'test1', 2, + 'simple bind with LDAP URL authentication fails with wrong password'); +$ENV{"PGPASSWORD"} = 'secret1'; +test_access($node, 'test1', 0, + 'simple bind with LDAP URL authentication succeeds'); + unlink($node->data_dir . '/pg_hba.conf'); $node->append_conf('pg_hba.conf', qq{local all all ldap ldapurl="$ldap_url/$ldap_basedn?uid?sub"});