Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: steve layland <steve(at)68k(dot)org>
Cc: David Boreham <david_list(at)boreham(dot)org>, Andreas Pflug <pgadmin(at)pse-consulting(dot)de>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Postgres Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS
Date: 2008-06-26 02:53:24
Message-ID: 200806260253.m5Q2rOX07472@momjian.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers


Added to TODO:

* Improve LDAP authentication configuration options

http://archives.postgresql.org/pgsql-hackers/2008-04/msg01745.php

---------------------------------------------------------------------------

steve layland wrote:
-- Start of PGP signed section.
> Thank you all for your comments. I was unaware the ldaps: scheme was
> not supposed to be used for LDAP+TLS encryption, but it makes sense now
> that you mention it.
>
> There's a nice discussion about how the folks working on mod_ldap for
> Apache worked this out way back in 2005:
>
> http://mail-archives.apache.org/mod_mbox/httpd-dev/200501.mbox/%3c6(dot)2(dot)0(dot)14(dot)2(dot)20050104132551(dot)054a1eb0(at)pop3(dot)rowe-clan(dot)net%3e
>
> Anyway, I think we've distilled the issue down to how to best enable TLS
> for ldap:// connections.
>
> By my reckoning, that means we can have:
>
> 1) per-hba.conf entry configuration where the configuration can
> be:
>
> a) of the ldap URL extension form mentioned by David
> (!StartTLS).
>
> b) key=value type of param string as suggested by Magnus
>
> c) a specific URI scheme like ldap+tls:// like Tom
> suggested.
>
> d) a new authentication type ldaptls
>
> 2) per-postgres server configuration which can be:
>
> a) an old LDAPTLS environment variable ? needs research
>
> b) a server-wide GUC variable (along with TLSCERT
> specifications?) as in the current patch
>
> I'm open to other suggestions.
>
> One other thing to keep in mind is how best to map database roles to
> ldap Distinguished Name (dn) entries?
>
> In other words, we need to take the user jimmy in
>
> psql -U jimmy
>
> and translate into an ldap authentication request for the distinguished
> name that is entirely dependent on the site and ldap impl, example:
>
> uid=jimmy,ou=people,dc=example,dc=com
>
> I've racked my brain thinking of ways that this can fit cleanly in
> hba.conf, but I haven't found anything I _really_ like (current patch
> and proposal 3 below are prob my favorites.) Any other
> ideas/comments/suggestions?
>
> # Current Functionality for reference - no tls control
> host dbname all 127.0.0.0/32 ldap "ldap://ldap.example.com[:port]/ignored;uid=;ou=people,dc=example,dc=com"
>
> # Current Functionality in patch (w/ server wide TLS control in GUC var)
> # GUC var causes all ldap entries to use same authentication. can be
> # applied to service lookup as well
> host dbname all 127.0.0.0/32 ldap "ldap://ldap.example.com[:port]/ou=people,dc=example,dc=com;uid="
>
> # proposal 1 - RFC 2255 URI kind of yucky; scope, attributes, filter
> # not actually used in simple authentication
> host dbname all 127.0.0.0/32 ldap "ldap://ldap.example.com[:port]/uid=%u,ou=people,dc=example,dc=com???!StartTLS"
>
> # proposal 1b - still RFC 2255 compliant, but semantically weird. no
> # filter is actually used in simple authentication
> host dbname all 127.0.0.0/32 ldap "ldap://ldap.example.com[:port]/ou=people,dc=example,dc=com?one??(uid=%u)!StartTLS"
>
> # proposal 2 - psuedo-URI scheme; hacky but easy
> host dbname all 127.0.0.0/32 ldap "ldap+tls://ldap.example.com[:port]/ou=people,dc=example,dc=com;uid=;"
>
> # proposal 3 - mod hba parsing, add new ldaptls auth type; reasonably
> # easy and least invasive;
> host dbname all 127.0.0.0/32 ldaptls "ldap://ldap.example.com[:port]/ou=people,dc=example,dc=com;uid=;"
>
> # proposal 4 - mod hba parsing
> host dbname all 127.0.0.0/32 ldap "ldap://ldap.example.com[:port]/ou=people,dc=example,dc=com;uid=;" StartTLS
>
> # proposal 5 - Magnum's key = value like idea (i'm guessing here,
> # Magnum. If I misinterpret, please explain)
> host dbname all 127.0.0.0/32 ldap "ldap://ldap.example.com[:port]/ou=people,dc=example,dc=com;prefix=uid=;start_tls=1"
>
> I have some radical ideas as well involving completely ripping out the
> pg_hba.conf file but I'll leave that for another, more appropriate day.
> :)
>
> Thanks again for the feedback, and sorry for the verbosity.
>
> -Steve (#postgresql rockpunk)
-- End of PGP section, PGP failed!

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2008-06-26 03:12:46 Re: Creating a VIEW with a POINT column
Previous Message Tom Lane 2008-06-26 02:36:09 Re: Planner creating ineffective plans on LEFT OUTER joins