| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | stephen layland <steve(at)68k(dot)org> |
| Cc: | Postgres Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS |
| Date: | 2008-05-04 17:29:28 |
| Message-ID: | 23222.1209922168@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
stephen layland <steve(at)68k(dot)org> writes:
> I've written a quick patch against the head branch (8.4DEV, but it also
> works with 8.1.3 sources) to fix LDAP authentication support to
> work with LDAPS servers that do not need start TLS. I'd be interested
> to hear your opinions on this.
Not being an LDAP user, I'm not very qualified to comment on the details
here, but ...
> My solution was to create a boolean config variable called
> ldap_use_start_tls which the user can toggle whether or not
> start tls is necessary.
... I really don't like using a GUC variable to determine the
interpretation of entries in pg_hba.conf. A configuration file exists
to set configuration, it shouldn't need help from a distance. Also,
doing it this way means that if several different LDAP servers are
referenced in different pg_hba.conf entries, they'd all have to have
the same encryption behavior.
I think a better idea is to embed the flag in the pg_hba.conf entry
itself. Perhaps something like "ldapso:" instead of "ldaps:" to
indicate "old" secure ldap protocol, or include another parameter
in the URL body.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Florian Weimer | 2008-05-04 17:38:45 | Re: Protection from SQL injection |
| Previous Message | Tom Lane | 2008-05-04 16:49:15 | Re: [HACKERS] Text <-> C string |