On 05/14/2014 09:10 AM, Magnus Hagander wrote: > On Wed, May 14, 2014 at 8:35 AM, Stephan Fabel <sfabel@hawaii.edu
> <mailto:sfabel@hawaii.edu>> wrote: > > I don't think SSL support for LDAP is supported. Have you tried TLS > on port 389? >
Thanks for the hint, no wonder it does not work. Unfortunately this info is not in the postgres documentation.
It is - indirectly, in the ldapurl documentation. "To use encrypted LDAP connections, the ldaptls option has to be used in addition to ldapurl. The ldaps URL scheme (direct SSL connection) is not supported."
But maybe it could be made more clear...
> > Correct, and you need to set ldaptls=1 to use that as well.
This does not work with our LDAP server (seems it is not configured to support TLS)
That's strangely configured. The LDAP TLS support (in the protocol) is the standardized one, and the "SSL wrapper" mode is not in the standard.
I *think* the "SSL wrapper" really is just that - wrap it in a standard SSL connection. In which case it might work if you set up stunnel or something like that to proxy the connection for you.
Any idea whether LDAP over SSL will be supported in future postgres releases?
I am not aware of any such plans, but if you (or somebody else) is willing to write a patch, I don't see a reason it would be rejected. Even though it's non-standard, it's fairly widespread. I recall there being a reason it wasn't added in the first place, but I don't recall what it was.
