Re: BUG #16399: Ldap authentication bug

Поиск
Список
Период
Сортировка
От Thomas Munro
Тема Re: BUG #16399: Ldap authentication bug
Дата
Msg-id CA+hUKGKCfB5hxbdNv4LDwWD-9TXg4nmGgWX2mchsUjkJLmfefA@mail.gmail.com
обсуждение исходный текст
Ответ на BUG #16399: Ldap authentication bug  (PG Bug reporting form <noreply@postgresql.org>)
Список pgsql-bugs
Дерево обсуждения 
On Wed, Apr 29, 2020 at 12:22 PM PG Bug reporting form
<noreply@postgresql.org> wrote:
> The following bug has been logged on the website:
>
> Bug reference:      16399
> Logged by:          Ciaran
> Email address:      ciaranrh@gmail.com
> PostgreSQL version: 10.12
> Operating system:   Windows Server 2012
> Description:
>
> Hello,
>
> Follow the documentation here:
> https://www.postgresql.org/docs/10/auth-methods.html#AUTH-LDAP I'm
> attempting to enable LDAP authentication on my postgres database.
>
> The relevant line for my testing this in my pg_hba.conf file is as
> follows:
> host    all             ciaranh         0.0.0.0/0               ldap
> ldapurl="ldap://<DC>/OU=IT,DC=CNFLTD,DC=COM?sAMAccountName?one"
> #ldapbinddn="CN=Postgres Bind, OU=Service Accounts, DC=CNFLTD, DC=COM"
> ldapbindpasswd="cnfP@ssw0rd"
>
> I receive the following error when trying to start the postgres service:
> 2020-04-28 16:00:02.619 PDT [4704] LOG:  authentication method "ldap"
> requires argument "ldapserver" to be set
> 2020-04-28 16:00:02.619 PDT [4704] CONTEXT:  line 79 of configuration file
> "C:/Program Files/PostgreSQL/10/data/pg_hba.conf"
> 2020-04-28 16:00:02.619 PDT [4704] FATAL:  could not load pg_hba.conf
>
> I do not understand why the ldapserver need be set if it's specified in the
> ldapurl field, this seems like a bug to me.

Huh.  I'm surprised you don't get the error "LDAP URLs not supported
on this platform"[1], since you're on Windows.  Our documentation
stays that we don't support LDAP URLs on Windows (patches welcome);
it's possible that the error checking for that is somehow wrong.

I haven't heard of this myself, but if your build is somehow using
OpenLDAP instead of Win32 LDAP then I suppose it should just work
(though I'm not entirely sure if there are other place in the code
that assume that Windows must be using Win32 LDAP).  That would imply
that ldap_url_parse() succeeded but set urldata->lud_host to NULL for
your input string.  Not sure why; when I tried passing that exact URL
to my local ldap_url_parse() it gives back the string "<DC>".  I don't
expect that to actually work (perhaps Windows LDAP understands "<DC>"
here, but I don't think OpenLDAP does) but that's another problem.

[1] https://github.com/postgres/postgres/blob/REL_10_STABLE/src/backend/libpq/hba.c#L1746

В списке pgsql-bugs по дате отправления:

Предыдущее
От: PG Bug reporting form
Дата:
Сообщение: BUG #16400: IN (query) allows for reference to column that doesn't exist
Следующее
От: PG Bug reporting form
Дата:
Сообщение: BUG #16401: Minor misspelling for hint in Swedish