Thread: BUG #7659: LDAP auth does not search the subtree

The following bug has been logged on the website:

Bug reference:      7659
Logged by:          Kevin Smith
Email address:      kevin@rootsmith.ca
PostgreSQL version: 9.2.1
Operating system:   CentOS5
Description:        =


I have the following in my pg_hba.conf file:

host all +ldap 127.0.0.1/32 ldap ldapserver=3D<myserver> ldapport=3D389
ldapbasedb=3D"<my base dn>" ldapbinddn=3D"<my bind dn>" ldapbindpasswd=3D<p=
asswd>
ldapsearchattribute=3D<search_attr>

If I try to connect from the localhost with a valid ldap account, it fails.
Note that the <search_attr> is located in objects, one level deeper than the
<my base dn> given.

The error in the log is as follows:

could not search LDAP for filter "(<search_attr>=3D<my_user>)" on server
"<myserver>": error code 1

However, when I do the following on the command line, it works:

ldapsearch -x -L -b "<my base dn>" -D "<my bind dn>" -w <passwd> -H
ldap://<myserver>:389 "(<search_attr>=3Dmy_user)"

When I change the configuration in pg_hba.conf so that the ldapbasedn is
exactly on the same level as where the user resides, it works perfectly.

The documentation states "The search will be performed over the subtree at
ldapbasedn" but this does not appear to be the case from my testing. The
scope appears to be defaulting to be just searching the base.

I use PostgeSQL 9.1 32-bit on Windows 7 Professional with Active Directory as
LDAP.
I have following configration in pg_hba.conf:

host     all     all     all     ldap     ldapserver=192.168.155.157
ldapbinddn="CN=aaaaaa,OU=bbbbb,DC=cccc,DC=dddd" ldapbindpasswd=******
ldapbasedn="DC=cccc,DC=dddd" ldapsearchattribute=sAMAccountName

Search is performed over the subtree at ldapbasedn, but is much more slower
then search exactly on the same level as where the user resides. I think
that search is performed on every database operation.

May be your problem is "timeout problem"

I found that you wrote ldapbase*db* in parameters when ldapbase*dn* is
required.

----





--
View this message in context:
http://postgresql.1045698.n5.nabble.com/BUG-7659-LDAP-auth-does-not-search-the-subtree-tp5732369p5756292.html
Sent from the PostgreSQL - bugs mailing list archive at Nabble.com.

On 5/21/13 2:54 AM, Andrzej Cedro wrote:
> I use PostgeSQL 9.1 32-bit on Windows 7 Professional with Active Directory as
> LDAP.
> I have following configration in pg_hba.conf:
>
> host     all     all     all     ldap     ldapserver=192.168.155.157
> ldapbinddn="CN=aaaaaa,OU=bbbbb,DC=cccc,DC=dddd" ldapbindpasswd=******
> ldapbasedn="DC=cccc,DC=dddd" ldapsearchattribute=sAMAccountName
>
> Search is performed over the subtree at ldapbasedn, but is much more slower
> then search exactly on the same level as where the user resides. I think
> that search is performed on every database operation.

The search is only performed once when you log in.

In 9.3, we support LDAP URLs where you can specify the scope attribute
for the seach (base, one, sub), which could help you if the LDAP search
takes too long.  But we don't support this as a separate parameter
outside of LDAP URLs.  Maybe we should.  (Note also that we don't
support LDAP URLs on Windows.)