Re: More flexible LDAP auth search filters?

On Sun, Jul 16, 2017 at 7:58 PM, Mark Cave-Ayland <
mark(dot)cave-ayland(at)ilande(dot)co(dot)uk> wrote:

> On 16/07/17 00:08, Thomas Munro wrote:
>
> > On Fri, Jul 14, 2017 at 11:04 PM, Magnus Hagander <magnus(at)hagander(dot)net>
> wrote:
> >> On Thu, Jul 13, 2017 at 9:31 AM, Thomas Munro
> >> <thomas(dot)munro(at)enterprisedb(dot)com> wrote:
> >>> A post on planet.postgresql.org today reminded me that a colleague had
> >>> asked me to post this POC patch here for discussion. It allows custom
> >>> filters with ldapsearchprefix and ldapsearchsuffix. Another approach
> >>> might be to take a filter pattern with "%USERNAME%" or whatever in it.
> >>> There's an existing precedent for the prefix and suffix approach, but
> >>> on the other hand a pattern approach would allow filters where the
> >>> username is inserted more than once.
> >>
> >>
> >> Do we even need prefix/suffix? If we just make it "ldapsearchpattern",
> then
> >> you could have something like:
> >>
> >> ldapsearchattribute="uid"
> >> ldapsearchfilter="|(memberof=cn=Paris DBA Team)(memberof=cn=Tokyo DBA
> Team)"
> >>
> >> We could then always to substitution of the kind:
> >> (&(attr=<uid>)(<filter>))
> >>
> >> which would in this case give:
> >> (&(uid=mha)(|(memberof=cn=Paris DBA Team)(memberof=cn=Tokyo DBA Team)))
> >>
> >>
> >> Basically we'd always AND together the username lookup with the
> additional
> >> filter.
> >
> > Ok, so we have 3 ideas put forward:
> >
> > 1. Wrap username with ldapsearchprefix ldapsearchsuffix to build
> > filter (as implemented by POC patch)
> > 2. Optionally AND ldapsearchfilter with the existing
> > ldapsearchattribute-based filter (Magnus's proposal)
> > 3. Pattern-based ldapsearchfilter so that %USER% is replaced with
> > username (my other suggestion)
> >
> > The main argument for approach 1 is that it follows the style of the
> > bind-only mode.
> >
> > With idea 2, I wonder if there are some more general kinds of things
> > that people might want to do that that wouldn't be possible because it
> > has to include (attribute=user)... perhaps something involving a
> > substring or other transformation functions (but I'm no LDAP expert,
> > that may not make sense).
> >
> > With idea 3 it would allow "(|(foo=%USER%)(bar=%USER%))", though I
> > don't know if any such multiple-mention filters would ever make sense
> > in a sane LDAP configuration.
> >
> > Any other views from LDAP-users?
>
> I've spent quite a bit of time integrating various bits of
> non-PostgreSQL software to LDAP and in my experience option 3 tends to
> be the standard.
>
> Generally you find that you will be given the option to set the
> attribute for the default search filter of the form
> "(attribute=username)" which defaults to uid for UNIX-type systems and
> sAMAccountName for AD. However there is always the ability to specify a
> custom filter where the user is substituted via e.g. %u to cover all the
> other use-cases.

Right, but that's something we do already today. It just defaults to uid,
but it's easy to change.

>
> As an example, I don't know if anyone would actually do this with
> PostgreSQL but I've been asked on multiple occasions to configure
> software so that users should be allowed to log in with either their
> email address or username which is easily done with a custom LDAP filter
> like "(|(mail=%u)(uid=%u))".
>

How would that actually work, though? Given the same user in ldap could now
potentially match multiple different users in PostgreSQL. Would you then
create two accounts for the user, one with the uid as name and one with
email as name? Wouldn't that actually cause more issues than it solves?

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>