Skip site navigation (1) Skip section navigation (2)

Proposed Patch - LDAPS support for servers on port 636 w/o TLS

From: stephen layland <steve(at)68k(dot)org>
To: Postgres Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Proposed Patch - LDAPS support for servers on port 636 w/o TLS
Date: 2008-04-26 01:02:40
Message-ID: 20080426010240.GS5734@68k.org (view raw or flat)
Thread:
Lists: pgsql-hackers
Hey Postgres Hackers,

this is my first time here, so... hi!

I've written a quick patch against the head branch (8.4DEV, but it also
works with 8.1.3 sources) to fix LDAP authentication support to
work with LDAPS servers that do not need start TLS.   I'd be interested
to hear your opinions on this.

Quick overview:

	The OpenLDAP recommended LDAPS configuration (as of OpenLDAP
	2.4?) is to have a regular (unencrypted) LDAP server listening
	on standard port 389.  Encryption will begin when the client
	issues a STARTTLS request ala SMTPS.

	Some older LDAP servers may not support TLS and instead have the
	SSL enabled ldap server listening on the ldaps port (usually
	636).

	While I agree it's probably not worth it to support older
	'unrecommended' setups, many organizations are slow on the
	uptake of recommended practices (mine is one of them :) ). 
	Allowing PostgreSQL to work with these organization's setups out
	of the box helps us pitch the db to organizations easier,
	especially those possibly overly paranoid about security.

	My solution was to create a boolean config variable called
	ldap_use_start_tls which the user can toggle whether or not
	start tls is necessary.  The default is to use start tls and 
	the recommended configuration.  I also updated the documentation
	and cleaned up the prefix/suffix/basedn interface so it's a bit
	more intuitive to the user (i.e. - the basedn setting is
	actually used, what they do are explained in the docs, etc.)
	Some people actually found that using an auth uri of:

		ldaps://ldap.example.org/junk;cn=;,dc=example,dc=com

	worked.  I think a more intuitive form would be:

		ldaps://ldap.example.org/dc=example,dc=com;cn=

	though this can be debated.

If any of you are interested in this, feel free to check out the patch
located here: 

	http://rockpunk.org/ldaps-postgres_8.4DEV.patch
	http://rockpunk.org/ldaps-postgres_8.4DEV.patch.asc

Please note that this patch does not implement ldaps for Albe Laurenz'
code that allows config to pull from LDAP via pg_service.conf, though it
should be easy to do.

I have tested this patch on the following configurations:

Client OS: RHEL4
Database:
	Postgres 8.1.3 sources
	Postgres 8.4DEV (cvs HEAD branch as of Apr 24)
libldap client:
	OpenLDAP version 2.2.12 (latest for RHEL4 subscriptions)
	OpenLDAP version 2.3.39 (stable)
libldap server:
	OpenLDAP slapd version 2.2.x? on CentOS 4 or 5. (<-- no access)

Thanks a bunch,

-Steve (rockpunk @ #postgresql)

-- 
 *------------------------*
//  ste\/e || 0x158f7a45 //
*------------------------*
   live now. die later.

Responses

pgsql-hackers by date

Next:From: Peter EisentrautDate: 2008-04-26 01:34:13
Subject: Re: Tech details - psql wraps at window width
Previous:From: Jacques CaronDate: 2008-04-25 23:27:45
Subject: FSM fill ratio

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group