diff options
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 23 | ||||
| -rw-r--r-- | src/backend/libpq/hba.c | 4 | ||||
| -rw-r--r-- | src/test/ldap/t/001_auth.pl | 16 |
3 files changed, 38 insertions, 5 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index f1eb3b279ed..51343de7cad 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1910,13 +1910,19 @@ omicron bryanh guest1 </para> </listitem> </varlistentry> + </variablelist> + </para> + + <para> + The following option may be used as an alternative way to write some of the + above LDAP options in a more compact and standard form: + <variablelist> <varlistentry> <term><literal>ldapurl</literal></term> <listitem> <para> An <ulink url="https://datatracker.ietf.org/doc/html/rfc4516">RFC 4516</ulink> - LDAP URL. This is an alternative way to write some of the - other LDAP options in a more compact and standard form. The format is + LDAP URL. The format is <synopsis> ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>][?[<replaceable>filter</replaceable>]]]] </synopsis> @@ -1958,7 +1964,8 @@ ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<rep <para> It is an error to mix configuration options for simple bind with options - for search+bind. + for search+bind. To use <literal>ldapurl</literal> in simple bind mode, the + URL must not contain a <literal>basedn</literal> or query elements. </para> <para> @@ -1995,6 +2002,16 @@ host ... ldap ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=exam </para> <para> + Here is a different simple-bind configuration, which uses the LDAPS scheme + and a custom port number, written as a URL: +<programlisting> +host ... ldap ldapurl="ldaps://ldap.example.net:49151" ldapprefix="cn=" ldapsuffix=", dc=example, dc=net" +</programlisting> + This is slightly more compact than specifying <literal>ldapserver</literal>, + <literal>ldapscheme</literal>, and <literal>ldapport</literal> separately. + </para> + + <para> Here is an example for a search+bind configuration: <programlisting> host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapsearchattribute=uid diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 18271def2e8..75d588e36a1 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1907,10 +1907,10 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel) { ereport(elevel, (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"), + errmsg("cannot mix options for simple bind and search+bind modes"), errcontext("line %d of configuration file \"%s\"", line_num, file_name))); - *err_msg = "cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"; + *err_msg = "cannot mix options for simple bind and search+bind modes"; return NULL; } } diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl index 850db34503f..43e029921ca 100644 --- a/src/test/ldap/t/001_auth.pl +++ b/src/test/ldap/t/001_auth.pl @@ -147,6 +147,22 @@ note "LDAP URLs"; unlink($node->data_dir . '/pg_hba.conf'); $node->append_conf('pg_hba.conf', + qq{local all all ldap ldapurl="$ldap_url" ldapprefix="uid=" ldapsuffix=",dc=example,dc=net"} +); +$node->restart; + +$ENV{"PGPASSWORD"} = 'wrong'; +test_access($node, 'test0', 2, + 'simple bind with LDAP URL authentication fails if user not found in LDAP' +); +test_access($node, 'test1', 2, + 'simple bind with LDAP URL authentication fails with wrong password'); +$ENV{"PGPASSWORD"} = 'secret1'; +test_access($node, 'test1', 0, + 'simple bind with LDAP URL authentication succeeds'); + +unlink($node->data_dir . '/pg_hba.conf'); +$node->append_conf('pg_hba.conf', qq{local all all ldap ldapurl="$ldap_url/$ldap_basedn?uid?sub"}); $node->restart; |