Postgres Pro
Downloads
Home   >   mailing lists

Re: Update LDAP Protocol in fe-connect.c to v3 - Mailing list pgsql-hackers

From Andrew Jackson
Subject Re: Update LDAP Protocol in fe-connect.c to v3
Date
Msg-id CAKK5BkE6ZipbDDJwrAXcuRQMWymcEnDtvw2HNvk3HdUsoUvxug@mail.gmail.com
Whole thread Raw
In response to Re: Update LDAP Protocol in fe-connect.c to v3  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Update LDAP Protocol in fe-connect.c to v3
List pgsql-hackers
Tree view
> This is the first complaint I can recall hearing about that, so
exactly which ones are "many"?

I've tested a 2 before figuring out about the v3 issue. lldap[0] and the docker image osixia/docker-openldap[1]. 
- lldap  gives the following error message when I attempt to connect without the patch "Service Error: while handling incoming messages: while receiving LDAP op: Bind request version is not equal to 3. This is a serious client bug.". With the attached patch this error message does not appear
-  osixia/docker-openlap gives the following error message without the patch "67df745e conn=1001 op=0 RESULT tag=97 err=2 text=historical protocol version requested, use LDAPv3 instead".
"

> Also, are we really sufficiently compliant with v3 that just adding this bit is enough?

I believe that this bit is all that is needed. Per the man page for ldap_set_option [2]: "The protocol version used by the library defaults to LDAPv2 (now historic), which corresponds to the LDAP_VERSION2 macro. Application developers are encouraged to explicitly set LDAP_OPT_PROTOCOL_VERSION to LDAPv3, using the LDAP_VERSION3 macro, or to allow users to select the protocol version."

> src/test/ldap/ doesn't do it for you?

Looking through the tests here it seems like they are all tests for the serverside auth functionality that is configurable in pg_hba.conf. I don't see any tests that test the client side "LDAP Lookup of Connection Parameters" described in [3]


On Sat, Mar 22, 2025 at 6:10 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Andrew Jackson <andrewjackson947@gmail.com> writes:
> Currently the LDAP usage in fe-connect.c does not explicitly set the
> protocol version to v3. This causes issues with many LDAP servers as they
> will often require clients to use the v3 protocol and disallow any use of
> the v2 protocol.

This is the first complaint I can recall hearing about that, so
exactly which ones are "many"?  Also, are we really sufficiently
compliant with v3 that just adding this bit is enough?

> One further note is that I do not currently see any test coverage over the
> LDAP functionality in `fe-connect.c`. I am happy to add that to this patch
> if needed.

src/test/ldap/ doesn't do it for you?

                        regards, tom lane

pgsql-hackers by date:

Previous
From: Noah Misch
Date:
Subject: Re: AIO v2.5
Next
From: Sami Imseih
Date:
Subject: Re: Proposal - Allow extensions to set a Plan Identifier