Tom Lane wrote:
> The fine manual claims that the "base dn" part of an LDAP URL
> is meaningful:
>
> The server will bind to the distinguished name specified as base
> dn using the user name supplied by the client. If prefix and
> suffix is specified, it will be prepended and appended to the
> user name before the bind.
>
> But looking at CheckLDAPAuth() just now, it doesn't do anything at all
> with the basedn part of the string. Seems to me this is either a code
> bug or a docs bug.
I think it's a docs bug. You don't "bind to the dn...". You bind *with*
a DN, and that one is made of out of <prefix><username><suffix>.
IIRC, my original intent was for it to bind using that and then attempt
to access the location specified by basedn, so one could set permissions
on that object. But I never did implement that - and even if I did, the
docs would still be wrong.
So, the docs should be fixed - I'll take a look at that.
It does mean that basedn isn't used, and could be removed. But we're
obviously not going to do that in a backbranch, since it'd change the
syntax. As for HEAD, I'd leave it in as well, since the changes I'm
working on for pg_hba parameters will likely make the syntax change
anyway - and there's no point in doing it twice. Seems fair?
//Magnus
