Thread: BUG #15495: Ldap authentication not working with multiple server inPostgresql 11

The following bug has been logged on the website:

Bug reference:      15495
Logged by:          Renaud Navarro
Email address:      rnavarro@nocibe.fr
PostgreSQL version: 11.1
Operating system:   Oracle Linux 7.5
Description:

Hi

After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
authentication no longer work with multiple ldap server specified.
The pg_hba.conf have the following line :
hostssl    all             all             172.20.0.0/16           ldap
ldapserver="dcinfrap01s.nocibe.net dcinfrap02s.nocibe.net"
ldapprefix="NOCIBE\" ldaptls=1 "
I have the following error in log file :
2018-11-09 16:32:45.407 CET [29629] LOG:  could not initialize LDAP: Bad
parameter to an ldap routine
2018-11-09 16:32:45.408 CET [29629] FATAL:  LDAP authentication failed for
user "admin_rnavarro"
If I modify the pg_hba.conf with one LDAP server, the authentication is
working.
The same entry with postgresql 10.5 work perfectly

Thanks for helping me

Kind Regards

On Sat, Nov 10, 2018 at 4:48 AM PG Bug reporting form
<noreply@postgresql.org> wrote:
> The following bug has been logged on the website:
>
> Bug reference:      15495
> Logged by:          Renaud Navarro
> Email address:      rnavarro@nocibe.fr
> PostgreSQL version: 11.1
> Operating system:   Oracle Linux 7.5
> Description:
>
> Hi
>
> After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
> authentication no longer work with multiple ldap server specified.
> The pg_hba.conf have the following line :
> hostssl    all             all             172.20.0.0/16           ldap
> ldapserver="dcinfrap01s.nocibe.net dcinfrap02s.nocibe.net"
> ldapprefix="NOCIBE\" ldaptls=1 "
> I have the following error in log file :
> 2018-11-09 16:32:45.407 CET [29629] LOG:  could not initialize LDAP: Bad
> parameter to an ldap routine
> 2018-11-09 16:32:45.408 CET [29629] FATAL:  LDAP authentication failed for
> user "admin_rnavarro"
> If I modify the pg_hba.conf with one LDAP server, the authentication is
> working.
> The same entry with postgresql 10.5 work perfectly

Thanks for the report.  I see the problem.  In commit
35c0754fadca8010955f6b10cb47af00bdbe1286 we switched from ldap_init()
to ldap_initialize() because the newer interface supports LDAPS.  To
do that we have to build a URI from the given protocol, server and
port.  I overlooked the case where multiple servers are specified in
ldapserver. If you say ldapserver="a b c" then we generate a URI
"ldap://a b c:389", but it looks like we should instead generate a URI
list "ldap://a:389 ldap://b:389 ldap://c:389".

Unfortunately there doesn't seem to be an obvious workaround until we
can ship a fix in the next point release, because ldapurl doesn't
support the space-separated list format either.

--
Thomas Munro
http://www.enterprisedb.com

On Sat, Nov 10, 2018 at 8:28 AM Thomas Munro
<thomas.munro@enterprisedb.com> wrote:
> On Sat, Nov 10, 2018 at 4:48 AM PG Bug reporting form
> <noreply@postgresql.org> wrote:
> > The following bug has been logged on the website:
> >
> > Bug reference:      15495
> > Logged by:          Renaud Navarro
> > Email address:      rnavarro@nocibe.fr
> > PostgreSQL version: 11.1
> > Operating system:   Oracle Linux 7.5
> > Description:
> >
> > Hi
> >
> > After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
> > authentication no longer work with multiple ldap server specified.
> > The pg_hba.conf have the following line :
> > hostssl    all             all             172.20.0.0/16           ldap
> > ldapserver="dcinfrap01s.nocibe.net dcinfrap02s.nocibe.net"
> > ldapprefix="NOCIBE\" ldaptls=1 "
> > I have the following error in log file :
> > 2018-11-09 16:32:45.407 CET [29629] LOG:  could not initialize LDAP: Bad
> > parameter to an ldap routine
> > 2018-11-09 16:32:45.408 CET [29629] FATAL:  LDAP authentication failed for
> > user "admin_rnavarro"
> > If I modify the pg_hba.conf with one LDAP server, the authentication is
> > working.
> > The same entry with postgresql 10.5 work perfectly
>
> Thanks for the report.  I see the problem.  In commit
> 35c0754fadca8010955f6b10cb47af00bdbe1286 we switched from ldap_init()
> to ldap_initialize() because the newer interface supports LDAPS.  To
> do that we have to build a URI from the given protocol, server and
> port.  I overlooked the case where multiple servers are specified in
> ldapserver. If you say ldapserver="a b c" then we generate a URI
> "ldap://a b c:389", but it looks like we should instead generate a URI
> list "ldap://a:389 ldap://b:389 ldap://c:389".

Here's a draft patch.

-- 
Thomas Munro
http://www.enterprisedb.com

On Sat, Nov 10, 2018 at 11:45 AM Thomas Munro
<thomas.munro@enterprisedb.com> wrote:
> On Sat, Nov 10, 2018 at 8:28 AM Thomas Munro
> <thomas.munro@enterprisedb.com> wrote:
> > On Sat, Nov 10, 2018 at 4:48 AM PG Bug reporting form
> > <noreply@postgresql.org> wrote:
> > > After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
> > > authentication no longer work with multiple ldap server specified.

> > Thanks for the report.  I see the problem.  In commit
> > 35c0754fadca8010955f6b10cb47af00bdbe1286 we switched from ldap_init()
> > to ldap_initialize() because the newer interface supports LDAPS.  To
> > do that we have to build a URI from the given protocol, server and
> > port.  I overlooked the case where multiple servers are specified in
> > ldapserver. If you say ldapserver="a b c" then we generate a URI
> > "ldap://a b c:389", but it looks like we should instead generate a URI
> > list "ldap://a:389 ldap://b:389 ldap://c:389".
>
> Here's a draft patch.

I did some testing with various multi-server configurations, added a
simple two hostname case to the regression tests and pushed this to
master and 11.  Thanks again for the report.

-- 
Thomas Munro
http://www.enterprisedb.com