Skip site navigation (1) Skip section navigation (2)

Re: [BUGS] BUG #3095: LDAP authentication parsing incorrectly

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Joey Wang <jwang(at)sentillion(dot)com>
Cc: PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>
Subject: Re: [BUGS] BUG #3095: LDAP authentication parsing incorrectly
Date: 2007-03-24 21:50:03
Message-ID: 200703242150.l2OLo3O01420@momjian.us (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-patches
I have researched this problem, and the incorrect behavior seems to be
totally caused by the fact that unquoted commas are treated as item
separators in pg_hba.conf.

I have updated the documentation in 8.2 and CVS HEAD to indicate that
the LDAP URL should be double-quoted, and double-quoted the example URL
for emphasis.

If double-quoting does not 100% fix your problem, please let us know. 
Thanks.

Documentation patch attached.

---------------------------------------------------------------------------

Joey Wang wrote:
> 
> The following bug has been logged online:
> 
> Bug reference:      3095
> Logged by:          Joey Wang
> Email address:      jwang(at)sentillion(dot)com
> PostgreSQL version: 8.2.3
> Operating system:   Linux
> Description:        LDAP authentication parsing incorrectly
> Details: 
> 
> LDAP authentication parsing has two bugs.
> 
> When pg_hba.conf contains the a line
> 
> host all all 127.0.0.1/24 ldap
> ldap://ActiveDirectory/dc=domain,dc=com;cn=;,cn=users
> 
> We expect the parsing will construct a user DN as
> 
> cn=userid,cn=users,dc=domain,dc=com
> 
> But
> 
> (1) dc=domain,dc=com is ignored. This is the src code from auth.c:
> 
> .....
> 
> /* ldap, no port number */
> r = sscanf(port->auth_arg,				  "ldap://%127[^/]/%127[^;];%127[^;];%127s",
>    server, basedn, prefix, suffix);
> 
> .....
> 
> snprintf(fulluser, sizeof(fulluser), "%s%s%s",
> 	 prefix, port->user_name, suffix);
> fulluser[sizeof(fulluser) - 1] = '\0';
> 
> r = ldap_simple_bind_s(ldap, fulluser, passwd);
> 
> We can see the code did not use basedn.
> 
> (2) suffix containing ',' is converted to other character. This bug is
> caused by parsing algrithm to treat comma as a token separator.
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
> 
>                http://archives.postgresql.org

-- 
  Bruce Momjian  <bruce(at)momjian(dot)us>          http://momjian.us
  EnterpriseDB                               http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

Attachment: /rtmp/diff
Description: text/x-diff (1.3 KB)

In response to

pgsql-bugs by date

Next:From: Bruce MomjianDate: 2007-03-24 21:50:44
Subject: Re: BUG #3123: Problem with LDAP auth strings
Previous:From: Susanne EbrechtDate: 2007-03-23 18:40:07
Subject: Re: initdb error message

pgsql-patches by date

Next:From: Bruce MomjianDate: 2007-03-25 00:30:11
Subject: Re: LIMIT/SORT optimization
Previous:From: Bruce MomjianDate: 2007-03-24 19:42:35
Subject: Re: Improvement of procArray.xmin for VACUUM

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group