On Mon, Aug 1, 2016 at 11:40 AM, Joseph Kregloh <jkregloh@sproutloud.com> wrote:
> Hi,
>
> Is there a way to force the user being sent to LDAP?
>
> For example I have the following entry in my pg_hba.conf file:
> host apdb apuser 10.0.20.1/22 ldap
> ldapserver="389-ds1.sl.com:389" ldapbasedn="dc=sl,dc=com"
>
> - I will be connecting as apuser.
> - I will supply my own user's password.
>
> When PostgreSQL does the authentication I would like it to replace apuser
> with jkregloh.
>
> The reason why I want to do this is to limit power granted to a user. For
> example I want to be able to user my regular user jkregloh for everyday
> things. But when I need super user actions I will login using apuser. Now
> this is easy enough to do without LDAP. But if I disable my user via LDAP it
> would remove access from both my regular user and my superuser, that's the
> functionality I am looking for.
>
> I am pretty sure this is not possible, but I am floating the question
> anyways in hope of suggestions.
I've wanted this as well, and for the same reason. I think you are
correct, that this is not currently possible. Only authentication
methods which inherently provide the authenticating user's username
implement the pg_ident.conf mechanism. LDAP does not independently
provide a username, it only uses the one provided to it.
I thought a quick and dirty solution would be stuff both user names
(the authenticating username and the database username) into the
existing username slot of the libpq protocol, separated by some
obscure character. Then break them apart on that character, and look
in pg_ident.conf to make sure the specified authenticating user is
allowed to connect as the specified database user. I've never gotten
around to implementing it, though, and I doubt it would be accepted
into core with the "magic character" design.
Cheers,
Jeff
