database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-04-24 10:47:04 +03:00
Code

ldapurl is supported with simple bind

Browse Source 
The docs currently imply that ldapurl is for search+bind only, but
that's not true.  Rearrange the docs to cover this better.

Add a test ldapurl with simple bind.  This was previously allowed but
unexercised, and now that it's documented it'd be good to pin the
behavior.

Improve error when mixing LDAP bind modes.  The option names had gone
stale; replace them with a more general statement.

Author: Jacob Champion <jacob.champion@enterprisedb.com>
Discussion: https://www.postgresql.org/message-id/flat/CAOYmi+nyg9gE0LeP=xQ3AgyQGR=5ZZMkVVbWd0uR8XQmg_dd5Q@mail.gmail.com
This commit is contained in:
Peter Eisentraut 2024-07-23 10:14:38 +02:00
parent 935e675f3c
commit f68d85bf69
3 changed files with 38 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
doc/src/sgml/client-auth.sgml
View File

@ -1910,13 +1910,19 @@ omicron bryanh guest1
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist>
</para>
<para>
The following option may be used as an alternative way to write some of the
above LDAP options in a more compact and standard form:
<variablelist>
<varlistentry> <varlistentry>
<term><literal>ldapurl</literal></term> <term><literal>ldapurl</literal></term>
<listitem> <listitem>
<para> <para>
An <ulink url="https://datatracker.ietf.org/doc/html/rfc4516">RFC 4516</ulink> An <ulink url="https://datatracker.ietf.org/doc/html/rfc4516">RFC 4516</ulink>
LDAP URL. This is an alternative way to write some of the LDAP URL. The format is
other LDAP options in a more compact and standard form. The format is
<synopsis> <synopsis>
ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>][?[<replaceable>filter</replaceable>]]]] ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>][?[<replaceable>filter</replaceable>]]]]
</synopsis> </synopsis>
@ -1958,7 +1964,8 @@ ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<rep
<para> <para>
It is an error to mix configuration options for simple bind with options It is an error to mix configuration options for simple bind with options
for search+bind. for search+bind. To use <literal>ldapurl</literal> in simple bind mode, the
URL must not contain a <literal>basedn</literal> or query elements.
</para> </para>
<para> <para>
@ -1994,6 +2001,16 @@ host ... ldap ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=exam
succeeds, the database access is granted. succeeds, the database access is granted.
</para> </para>
<para>
Here is a different simple-bind configuration, which uses the LDAPS scheme
and a custom port number, written as a URL:
<programlisting>
host ... ldap ldapurl="ldaps://ldap.example.net:49151" ldapprefix="cn=" ldapsuffix=", dc=example, dc=net"
</programlisting>
This is slightly more compact than specifying <literal>ldapserver</literal>,
<literal>ldapscheme</literal>, and <literal>ldapport</literal> separately.
</para>
<para> <para>
Here is an example for a search+bind configuration: Here is an example for a search+bind configuration:
<programlisting> <programlisting>

4
src/backend/libpq/hba.c
View File

@ -1907,10 +1907,10 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
{ {
ereport(elevel, ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR), (errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"), errmsg("cannot mix options for simple bind and search+bind modes"),
errcontext("line %d of configuration file \"%s\"", errcontext("line %d of configuration file \"%s\"",
line_num, file_name))); line_num, file_name)));
*err_msg = "cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"; *err_msg = "cannot mix options for simple bind and search+bind modes";
return NULL; return NULL;
} }
} }

16
src/test/ldap/t/001_auth.pl
View File

@ -145,6 +145,22 @@ test_access($node, 'test1', 0, 'search+bind authentication succeeds');
note "LDAP URLs"; note "LDAP URLs";
unlink($node->data_dir . '/pg_hba.conf');
$node->append_conf('pg_hba.conf',
qq{local all all ldap ldapurl="$ldap_url" ldapprefix="uid=" ldapsuffix=",dc=example,dc=net"}
);
$node->restart;
$ENV{"PGPASSWORD"} = 'wrong';
test_access($node, 'test0', 2,
'simple bind with LDAP URL authentication fails if user not found in LDAP'
);
test_access($node, 'test1', 2,
'simple bind with LDAP URL authentication fails with wrong password');
$ENV{"PGPASSWORD"} = 'secret1';
test_access($node, 'test1', 0,
'simple bind with LDAP URL authentication succeeds');
unlink($node->data_dir . '/pg_hba.conf'); unlink($node->data_dir . '/pg_hba.conf');
$node->append_conf('pg_hba.conf', $node->append_conf('pg_hba.conf',
qq{local all all ldap ldapurl="$ldap_url/$ldap_basedn?uid?sub"}); qq{local all all ldap ldapurl="$ldap_url/$ldap_basedn?uid?sub"});