From: | Andreas Pflug <pgadmin(at)pse-consulting(dot)de> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | stephen layland <steve(at)68k(dot)org>, Postgres Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS |
Date: | 2008-05-05 11:40:38 |
Message-ID: | 481EF236.7080000@pse-consulting.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Tom Lane wrote:
> stephen layland <steve(at)68k(dot)org> writes:
>
>> I've written a quick patch against the head branch (8.4DEV, but it also
>> works with 8.1.3 sources) to fix LDAP authentication support to
>> work with LDAPS servers that do not need start TLS. I'd be interested
>> to hear your opinions on this.
>>
>
> Not being an LDAP user, I'm not very qualified to comment on the details
> here, but ...
>
>
>> My solution was to create a boolean config variable called
>> ldap_use_start_tls which the user can toggle whether or not
>> start tls is necessary.
>>
>
> ... I really don't like using a GUC variable to determine the
> interpretation of entries in pg_hba.conf. A configuration file exists
> to set configuration, it shouldn't need help from a distance. Also,
> doing it this way means that if several different LDAP servers are
> referenced in different pg_hba.conf entries, they'd all have to have
> the same encryption behavior.
>
> I think a better idea is to embed the flag in the pg_hba.conf entry
> itself. Perhaps something like "ldapso:" instead of "ldaps:" to
> indicate "old" secure ldap protocol, or include another parameter
> in the URL body.
>
With ldaps on port 636 STARTTLS should NEVER be issued, so the protocol
identifier ldaps should be sufficient as "do not issue STARTTLS" flag.
IMHO the current pg_hba.conf implementation doesn't follow the usual
nomenclatura; ldap with TLS is still ldap. Using ldaps as indicator for
ldap with tls over port 389 is misleading for anyone familiar with ldap.
Regards,
Andreas
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2008-05-05 11:51:25 | Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS |
Previous Message | Zeugswetter Andreas OSB sIT | 2008-05-05 10:38:54 | Re: statement timeout vs dump/restore |