Re: BUG #15495: Ldap authentication not working with multiple server in Postgresql 11

On Sat, Nov 10, 2018 at 4:48 AM PG Bug reporting form
<noreply(at)postgresql(dot)org> wrote:
> The following bug has been logged on the website:
>
> Bug reference: 15495
> Logged by: Renaud Navarro
> Email address: rnavarro(at)nocibe(dot)fr
> PostgreSQL version: 11.1
> Operating system: Oracle Linux 7.5
> Description:
>
> Hi
>
> After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
> authentication no longer work with multiple ldap server specified.
> The pg_hba.conf have the following line :
> hostssl all all 172.20.0.0/16 ldap
> ldapserver="dcinfrap01s.nocibe.net dcinfrap02s.nocibe.net"
> ldapprefix="NOCIBE\" ldaptls=1 "
> I have the following error in log file :
> 2018-11-09 16:32:45.407 CET [29629] LOG: could not initialize LDAP: Bad
> parameter to an ldap routine
> 2018-11-09 16:32:45.408 CET [29629] FATAL: LDAP authentication failed for
> user "admin_rnavarro"
> If I modify the pg_hba.conf with one LDAP server, the authentication is
> working.
> The same entry with postgresql 10.5 work perfectly

Thanks for the report. I see the problem. In commit
35c0754fadca8010955f6b10cb47af00bdbe1286 we switched from ldap_init()
to ldap_initialize() because the newer interface supports LDAPS. To
do that we have to build a URI from the given protocol, server and
port. I overlooked the case where multiple servers are specified in
ldapserver. If you say ldapserver="a b c" then we generate a URI
"ldap://a b c:389", but it looks like we should instead generate a URI
list "ldap://a:389 ldap://b:389 ldap://c:389".

Unfortunately there doesn't seem to be an obvious workaround until we
can ship a fix in the next point release, because ldapurl doesn't
support the space-separated list format either.

--
Thomas Munro
http://www.enterprisedb.com