Thread: 8.2 -> 8.4 Upgrade: No More "ldaps://"?

8.2 -> 8.4 Upgrade: No More "ldaps://"?

From
Jim Seymour
Date:
Hi There,

Tried to upgrade from 8.2.21 to 8.4.19 this morning and ran into a
wall: It would appear the 
   hostssl all all  0.0.0.0/0  ldap "ldaps://..."

syntax is no longer supported?

Searched.  Asked on the IRC channel.  It would seem that in 8.4.x
there's no way to perform a "straight SSL" (not TLS) connect to an LDAP
server anymore?

Thanks,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.



Re: 8.2 -> 8.4 Upgrade: No More "ldaps://"?

From
Tom Lane
Date:
Jim Seymour <jseymour@LinxNet.com> writes:
> Tried to upgrade from 8.2.21 to 8.4.19 this morning and ran into a
> wall: It would appear the 
>     hostssl all all  0.0.0.0/0  ldap "ldaps://..."
> syntax is no longer supported?

The 8.4 release notes say that there were incompatible changes in the
format of pg_hba.conf entries for LDAP authentication, and this is one:
you're supposed to use the ldaptls option now.

AFAICS from the relevant commit (7356381ef), there is no change in
functionality between what we did for "ldaps:" and what we do now
for "ldaptls".
        regards, tom lane



Re: 8.2 -> 8.4 Upgrade: No More "ldaps://"?

From
Jim Seymour
Date:
On Mon, 17 Feb 2014 14:18:40 -0500
Tom Lane <tgl@sss.pgh.pa.us> wrote:

> Jim Seymour <jseymour@LinxNet.com> writes:
> > Tried to upgrade from 8.2.21 to 8.4.19 this morning and ran into a
> > wall: It would appear the 
> >     hostssl all all  0.0.0.0/0  ldap "ldaps://..."
> > syntax is no longer supported?
> 
> The 8.4 release notes say that there were incompatible changes in the
> format of pg_hba.conf entries for LDAP authentication, and this is
> one: you're supposed to use the ldaptls option now.

Yes, I saw that, but when I tried
   ldap ldapserver=... ldapport=636 ldaptls=1

it failed.

> 
> AFAICS from the relevant commit (7356381ef), there is no change in
> functionality between what we did for "ldaps:" and what we do now
> for "ldaptls".

That very well could be.  I always *assumed* that "ldaps://" meant it
was doing SSL on port 636.  After all: That's what SMTPS means, for
example.  But I got to thinking, and looking at my OpenLDAP config and
thought "Hmmm... I wonder...?" and removed "ldapport=636" from my
pg_hba.conf and, lo and behold, it worked!

Thanks for the follow-up, Tom.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.