Re: [BUGS] BUG #3095: LDAP authentication parsing incorrectly - Mailing list pgsql-patches
| From | Bruce Momjian |
|---|---|
| Subject | Re: [BUGS] BUG #3095: LDAP authentication parsing incorrectly |
| Date | |
| Msg-id | 200703242150.l2OLo3O01420@momjian.us Whole thread Raw |
| List | pgsql-patches |
I have researched this problem, and the incorrect behavior seems to be totally caused by the fact that unquoted commas are treated as item separators in pg_hba.conf. I have updated the documentation in 8.2 and CVS HEAD to indicate that the LDAP URL should be double-quoted, and double-quoted the example URL for emphasis. If double-quoting does not 100% fix your problem, please let us know. Thanks. Documentation patch attached. --------------------------------------------------------------------------- Joey Wang wrote: > > The following bug has been logged online: > > Bug reference: 3095 > Logged by: Joey Wang > Email address: jwang@sentillion.com > PostgreSQL version: 8.2.3 > Operating system: Linux > Description: LDAP authentication parsing incorrectly > Details: > > LDAP authentication parsing has two bugs. > > When pg_hba.conf contains the a line > > host all all 127.0.0.1/24 ldap > ldap://ActiveDirectory/dc=domain,dc=com;cn=;,cn=users > > We expect the parsing will construct a user DN as > > cn=userid,cn=users,dc=domain,dc=com > > But > > (1) dc=domain,dc=com is ignored. This is the src code from auth.c: > > ..... > > /* ldap, no port number */ > r = sscanf(port->auth_arg, "ldap://%127[^/]/%127[^;];%127[^;];%127s", > server, basedn, prefix, suffix); > > ..... > > snprintf(fulluser, sizeof(fulluser), "%s%s%s", > prefix, port->user_name, suffix); > fulluser[sizeof(fulluser) - 1] = '\0'; > > r = ldap_simple_bind_s(ldap, fulluser, passwd); > > We can see the code did not use basedn. > > (2) suffix containing ',' is converted to other character. This bug is > caused by parsing algrithm to treat comma as a token separator. > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Have you searched our list archives? > > http://archives.postgresql.org -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: doc/src/sgml/client-auth.sgml =================================================================== RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v retrieving revision 1.97 diff -c -c -r1.97 client-auth.sgml *** doc/src/sgml/client-auth.sgml 31 Jan 2007 20:56:16 -0000 1.97 --- doc/src/sgml/client-auth.sgml 24 Mar 2007 21:44:29 -0000 *************** *** 929,937 **** <synopsis> ldap[<replaceable>s</>]://<replaceable>servername</>[:<replaceable>port</>]/<replaceable>base dn</replaceable>[;<replaceable>prefix</>[;<replaceable>suffix</>]] </synopsis> ! for example: <synopsis> ! ldap://ldap.example.net/dc=example,dc=net;EXAMPLE\ </synopsis> </para> --- 929,941 ---- <synopsis> ldap[<replaceable>s</>]://<replaceable>servername</>[:<replaceable>port</>]/<replaceable>base dn</replaceable>[;<replaceable>prefix</>[;<replaceable>suffix</>]] </synopsis> ! Commas are used to specify multiple items in an <literal>ldap</> ! component. However, because unquoted commas are treated as item ! separators in <filename>pg_hba.conf</filename>, it is wise to ! double-quote the <literal>ldap</> URL to preserve any commas present, ! e.g.: <synopsis> ! "ldap://ldap.example.net/dc=example,dc=net;EXAMPLE\" </synopsis> </para>
pgsql-patches by date: