Re: [BUGS] BUG #3095: LDAP authentication parsing incorrectly
This is a discussion on Re: [BUGS] BUG #3095: LDAP authentication parsing incorrectly within the Pgsql Patches forums, part of the PostgreSQL category; --> I have researched this problem, and the incorrect behavior seems to be totally caused by the fact that unquoted ...
| |||||||
![Re: [BUGS] BUG #3095: LDAP authentication parsing incorrectly](http://www.unixadmintalk.com/iconimages/pgsql-patches/re-bugs-bug-3095-ldap-authentication-parsing-incorrectly_ltr.gif)
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-18-2008, 10:45 AM
| ||||
| ||||
 Re: [BUGS] BUG #3095: LDAP authentication parsing incorrectly I have researched this problem, and the incorrect behavior seems to be totally caused by the fact that unquoted commas are treated as item separators in pg_hba.conf. I have updated the documentation in 8.2 and CVS HEAD to indicate that the LDAP URL should be double-quoted, and double-quoted the example URL for emphasis. If double-quoting does not 100% fix your problem, please let us know. Thanks. Documentation patch attached. --------------------------------------------------------------------------- Joey Wang wrote: > > The following bug has been logged online: > > Bug reference: 3095 > Logged by: Joey Wang > Email address: jwang@sentillion.com > PostgreSQL version: 8.2.3 > Operating system: Linux > Description: LDAP authentication parsing incorrectly > Details: > > LDAP authentication parsing has two bugs. > > When pg_hba.conf contains the a line > > host all all 127.0.0.1/24 ldap > ldap://ActiveDirectory/dc=domain,dc=com;cn=;,cn=users > > We expect the parsing will construct a user DN as > > cn=userid,cn=users,dc=domain,dc=com > > But > > (1) dc=domain,dc=com is ignored. This is the src code from auth.c: > > ..... > > /* ldap, no port number */ > r = sscanf(port->auth_arg, "ldap://%127[^/]/%127[^;];%127[^;];%127s", > server, basedn, prefix, suffix); > > ..... > > snprintf(fulluser, sizeof(fulluser), "%s%s%s", > prefix, port->user_name, suffix); > fulluser[sizeof(fulluser) - 1] = '\0'; > > r = ldap_simple_bind_s(ldap, fulluser, passwd); > > We can see the code did not use basedn. > > (2) suffix containing ',' is converted to other character. This bug is > caused by parsing algrithm to treat comma as a token separator. > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Have you searched our list archives? > > http://archives.postgresql.org -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match      |
Linear Mode
