Skip site navigation (1) Skip section navigation (2)

Re: BUG #3095: LDAP authentication parsing incorrectly

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Joey Wang <jwang(at)sentillion(dot)com>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #3095: LDAP authentication parsing incorrectly
Date: 2007-03-08 15:15:22
Message-ID: 20070308151522.GA8575@svr2.hagander.net (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-patches
On Thu, Mar 01, 2007 at 09:48:34PM +0000, Joey Wang wrote:
> 
> The following bug has been logged online:
> 
> Bug reference:      3095
> Logged by:          Joey Wang
> Email address:      jwang(at)sentillion(dot)com
> PostgreSQL version: 8.2.3
> Operating system:   Linux
> Description:        LDAP authentication parsing incorrectly
> Details: 
> 
> LDAP authentication parsing has two bugs.
> 
> When pg_hba.conf contains the a line
> 
> host all all 127.0.0.1/24 ldap
> ldap://ActiveDirectory/dc=domain,dc=com;cn=;,cn=users
> 
> We expect the parsing will construct a user DN as
> 
> cn=userid,cn=users,dc=domain,dc=com
> 
> But
> 
> (1) dc=domain,dc=com is ignored. This is the src code from auth.c:
> 
> .....
> 
> /* ldap, no port number */
> r = sscanf(port->auth_arg,				  "ldap://%127[^/]/%127[^;];%127[^;];%127s",
>    server, basedn, prefix, suffix);
> 
> .....
> 
> snprintf(fulluser, sizeof(fulluser), "%s%s%s",
> 	 prefix, port->user_name, suffix);
> fulluser[sizeof(fulluser) - 1] = '\0';
> 
> r = ldap_simple_bind_s(ldap, fulluser, passwd);
> 
> We can see the code did not use basedn.

That is indeed so. IIRC, that was actually intentional, to make it
possible to use suffix-less binding (such as EXAMPLE\account for
ActiveDirectory, using the NT domain name instead of the LDAP dn). Does
kind of make the base dn unnecessary ;-)


> (2) suffix containing ',' is converted to other character. This bug is
> caused by parsing algrithm to treat comma as a token separator.

For some reason, I can't get my AD to accept my LDAP connection on my
test machine - it keeps bitching about certificates and such.
Anwyay. Does it not work if you quote the LDAP url? I *think* that is
permitted...

//Magnus

In response to

pgsql-bugs by date

Next:From: Tom LaneDate: 2007-03-08 16:01:24
Subject: Re: BUG #3120: relation "pg_catalog.pg_user"
Previous:From: Brian ToppingDate: 2007-03-07 23:37:04
Subject: BUG #3123: Problem with LDAP auth strings

pgsql-patches by date

Next:From: Simon RiggsDate: 2007-03-08 15:44:29
Subject: Heap page diagnostic/test functions (v2)
Previous:From: Gregory StarkDate: 2007-03-08 14:44:46
Subject: Packed Varlenas update

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group