| From: | Thomas Munro <thomas(dot)munro(at)gmail(dot)com> |
|---|---|
| To: | ciaranrh(at)gmail(dot)com, PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: BUG #16399: Ldap authentication bug |
| Date: | 2020-04-29 02:26:48 |
| Message-ID: | CA+hUKGKCfB5hxbdNv4LDwWD-9TXg4nmGgWX2mchsUjkJLmfefA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Wed, Apr 29, 2020 at 12:22 PM PG Bug reporting form
<noreply(at)postgresql(dot)org> wrote:
> The following bug has been logged on the website:
>
> Bug reference: 16399
> Logged by: Ciaran
> Email address: ciaranrh(at)gmail(dot)com
> PostgreSQL version: 10.12
> Operating system: Windows Server 2012
> Description:
>
> Hello,
>
> Follow the documentation here:
> https://www.postgresql.org/docs/10/auth-methods.html#AUTH-LDAP I'm
> attempting to enable LDAP authentication on my postgres database.
>
> The relevant line for my testing this in my pg_hba.conf file is as
> follows:
> host all ciaranh 0.0.0.0/0 ldap
> ldapurl="ldap://<DC>/OU=IT,DC=CNFLTD,DC=COM?sAMAccountName?one"
> #ldapbinddn="CN=Postgres Bind, OU=Service Accounts, DC=CNFLTD, DC=COM"
> ldapbindpasswd="cnfP(at)ssw0rd"
>
> I receive the following error when trying to start the postgres service:
> 2020-04-28 16:00:02.619 PDT [4704] LOG: authentication method "ldap"
> requires argument "ldapserver" to be set
> 2020-04-28 16:00:02.619 PDT [4704] CONTEXT: line 79 of configuration file
> "C:/Program Files/PostgreSQL/10/data/pg_hba.conf"
> 2020-04-28 16:00:02.619 PDT [4704] FATAL: could not load pg_hba.conf
>
> I do not understand why the ldapserver need be set if it's specified in the
> ldapurl field, this seems like a bug to me.
Huh. I'm surprised you don't get the error "LDAP URLs not supported
on this platform"[1], since you're on Windows. Our documentation
stays that we don't support LDAP URLs on Windows (patches welcome);
it's possible that the error checking for that is somehow wrong.
I haven't heard of this myself, but if your build is somehow using
OpenLDAP instead of Win32 LDAP then I suppose it should just work
(though I'm not entirely sure if there are other place in the code
that assume that Windows must be using Win32 LDAP). That would imply
that ldap_url_parse() succeeded but set urldata->lud_host to NULL for
your input string. Not sure why; when I tried passing that exact URL
to my local ldap_url_parse() it gives back the string "<DC>". I don't
expect that to actually work (perhaps Windows LDAP understands "<DC>"
here, but I don't think OpenLDAP does) but that's another problem.
[1] https://github.com/postgres/postgres/blob/REL_10_STABLE/src/backend/libpq/hba.c#L1746
| From | Date | Subject | |
|---|---|---|---|
| Next Message | PG Bug reporting form | 2020-04-29 06:02:36 | BUG #16401: Minor misspelling for hint in Swedish |
| Previous Message | PG Bug reporting form | 2020-04-29 02:17:04 | BUG #16400: IN (query) allows for reference to column that doesn't exist |