Re: LDAP: bugfix and deprecated OpenLDAP API

On Tue, Feb 5, 2013 at 10:39 AM, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at> wrote:
> I found a small bug in the implementation of LDAP connection
> parameter lookup.
>
> As documented in
> http://www.postgresql.org/docs/current/static/libpq-ldap.html
> processing should continue after a failed attempt
> to connect to an LDAP server.
>
> The code in src/interfaces/libpq/fe-connect.c defines a
> timeout of two seconds so that this failure won't block
> the libpq connection attempt for a long time.
>
> As coded now, the timeout won't work - if the LDAP server
> is down, ldap_simple_bind will wait for the network
> timeout, which will be quite longer than 2 seconds.
>
> The attached patch ldap-bug.patch fixes this problem;
> unfortunately I found no way that works both with OpenLDAP
> and Windows LDAP, so I had to add an #ifdef.
>
> I think that this patch should be applied and backpatched.

So just to be clear - the difference is we're going from implicit
anonymous bind, to an explicit one? We're not actually causing an
extra bind compared to previous versions?

> I also tried to fix the problem mentioned in
> http://www.postgresql.org/message-id/CA+TgmoYnj=Es3L_0Q8+ijR4tVhvztW1fb=7C9K9gEmZWqhpwuQ@mail.gmail.com
> that we use deprecated OpenLDAP functions, see the attached
> ldap-undeprecate.patch.
>
> I added a file ldap.c in src/port with my own implementation
> of some of the functions that OpenLDAP has deprecated.
> With that, the code changes necessary are pretty minimal.

Doesn't this need a version check against OpenSSL at some point, or a
configure check? Are we just assuming that all versions that people
ever use have the function deprecated? (That's probably not entirely
unreasonable, just double checking)

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/