Re: [BUGS] BUG #3095: LDAP authentication parsing incorrectly

I have researched this problem, and the incorrect behavior seems to be
totally caused by the fact that unquoted commas are treated as item
separators in pg_hba.conf.

I have updated the documentation in 8.2 and CVS HEAD to indicate that
the LDAP URL should be double-quoted, and double-quoted the example URL
for emphasis.

If double-quoting does not 100% fix your problem, please let us know.
Thanks.

Documentation patch attached.

---------------------------------------------------------------------------

Joey Wang wrote:
>
> The following bug has been logged online:
>
> Bug reference: 3095
> Logged by: Joey Wang
> Email address: jwang(at)sentillion(dot)com
> PostgreSQL version: 8.2.3
> Operating system: Linux
> Description: LDAP authentication parsing incorrectly
> Details:
>
> LDAP authentication parsing has two bugs.
>
> When pg_hba.conf contains the a line
>
> host all all 127.0.0.1/24 ldap
> ldap://ActiveDirectory/dc=domain,dc=com;cn=;,cn=users
>
> We expect the parsing will construct a user DN as
>
> cn=userid,cn=users,dc=domain,dc=com
>
> But
>
> (1) dc=domain,dc=com is ignored. This is the src code from auth.c:
>
> .....
>
> /* ldap, no port number */
> r = sscanf(port->auth_arg, "ldap://%127[^/]/%127[^;];%127[^;];%127s",
> server, basedn, prefix, suffix);
>
> .....
>
> snprintf(fulluser, sizeof(fulluser), "%s%s%s",
> prefix, port->user_name, suffix);
> fulluser[sizeof(fulluser) - 1] = '\0';
>
> r = ldap_simple_bind_s(ldap, fulluser, passwd);
>
> We can see the code did not use basedn.
>
> (2) suffix containing ',' is converted to other character. This bug is
> caused by parsing algrithm to treat comma as a token separator.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
>
> http://archives.postgresql.org

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +