Postgres Pro
Downloads
Home   >   mailing lists

Re: BUG #16399: Ldap authentication bug - Mailing list pgsql-bugs

From Thomas Munro
Subject Re: BUG #16399: Ldap authentication bug
Date
Msg-id CA+hUKGKCfB5hxbdNv4LDwWD-9TXg4nmGgWX2mchsUjkJLmfefA@mail.gmail.com
Whole thread Raw
In response to BUG #16399: Ldap authentication bug  (PG Bug reporting form <noreply@postgresql.org>)
List pgsql-bugs
Tree view 
On Wed, Apr 29, 2020 at 12:22 PM PG Bug reporting form
<noreply@postgresql.org> wrote:
> The following bug has been logged on the website:
>
> Bug reference:      16399
> Logged by:          Ciaran
> Email address:      ciaranrh@gmail.com
> PostgreSQL version: 10.12
> Operating system:   Windows Server 2012
> Description:
>
> Hello,
>
> Follow the documentation here:
> https://www.postgresql.org/docs/10/auth-methods.html#AUTH-LDAP I'm
> attempting to enable LDAP authentication on my postgres database.
>
> The relevant line for my testing this in my pg_hba.conf file is as
> follows:
> host    all             ciaranh         0.0.0.0/0               ldap
> ldapurl="ldap://<DC>/OU=IT,DC=CNFLTD,DC=COM?sAMAccountName?one"
> #ldapbinddn="CN=Postgres Bind, OU=Service Accounts, DC=CNFLTD, DC=COM"
> ldapbindpasswd="cnfP@ssw0rd"
>
> I receive the following error when trying to start the postgres service:
> 2020-04-28 16:00:02.619 PDT [4704] LOG:  authentication method "ldap"
> requires argument "ldapserver" to be set
> 2020-04-28 16:00:02.619 PDT [4704] CONTEXT:  line 79 of configuration file
> "C:/Program Files/PostgreSQL/10/data/pg_hba.conf"
> 2020-04-28 16:00:02.619 PDT [4704] FATAL:  could not load pg_hba.conf
>
> I do not understand why the ldapserver need be set if it's specified in the
> ldapurl field, this seems like a bug to me.

Huh.  I'm surprised you don't get the error "LDAP URLs not supported
on this platform"[1], since you're on Windows.  Our documentation
stays that we don't support LDAP URLs on Windows (patches welcome);
it's possible that the error checking for that is somehow wrong.

I haven't heard of this myself, but if your build is somehow using
OpenLDAP instead of Win32 LDAP then I suppose it should just work
(though I'm not entirely sure if there are other place in the code
that assume that Windows must be using Win32 LDAP).  That would imply
that ldap_url_parse() succeeded but set urldata->lud_host to NULL for
your input string.  Not sure why; when I tried passing that exact URL
to my local ldap_url_parse() it gives back the string "<DC>".  I don't
expect that to actually work (perhaps Windows LDAP understands "<DC>"
here, but I don't think OpenLDAP does) but that's another problem.

[1] https://github.com/postgres/postgres/blob/REL_10_STABLE/src/backend/libpq/hba.c#L1746

pgsql-bugs by date:

Previous
From: PG Bug reporting form
Date:
Subject: BUG #16400: IN (query) allows for reference to column that doesn't exist
Next
From: PG Bug reporting form
Date:
Subject: BUG #16401: Minor misspelling for hint in Swedish