On 24.05.24 20:54, Jacob Champion wrote:
> Our documentation implies that the ldapurl setting in pg_hba is used
> for search+bind mode only. It was pointed out to me recently that this
> is not true, and if you're dealing with simple bind on a non-standard
> scheme or port, then ldapurl makes the HBA easier to read:
>
> ... ldap ldapurl="ldaps://ldap.example.net:49151" ldapprefix="cn="
> ldapsuffix=", dc=example, dc=net"
>
> 0001 tries to document this helpful behavior a little better, and 0002
> pins it with a test. WDYT?
Yes, this looks correct. Since ldapurl is really just a shorthand that
is expanded to various other parameters, it makes sense that it would
work for simple bind as well.
hba.c has this error message:
"cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute,
ldapsearchfilter, or ldapurl together with ldapprefix"
This appears to imply that specifying ldapurl is only applicable for
search+bind. Maybe that whole message should be simplified to something
like
"configuration mixes arguments for simple bind and search+bind"
(The old wording also ignores that the error might arise via "ldapsuffix".)
