From cd5536fa70eed74f8b1aa4f856edae8b84d76ef5 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <peter_e@gmx.net>
Date: Fri, 8 Sep 2017 10:58:53 -0400
Subject: [PATCH] fixup! Allow custom search filters to be configured for LDAP
 auth.

---
 doc/src/sgml/client-auth.sgml |  4 +---
 src/backend/libpq/auth.c      | 18 ++++++++----------
 2 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 1773ce29a9..1c3db96134 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1525,7 +1525,7 @@ <title>LDAP Authentication</title>
          An RFC 4516 LDAP URL.  This is an alternative way to write some of the
          other LDAP options in a more compact and standard form.  The format is
 <synopsis>
-ldap://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[[[?[<replaceable>attribute</replaceable>]][?<replaceable>scope</replaceable>]][?<replaceable>filter</replaceable>]]
+ldap://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>][?[<replaceable>filter</replaceable>]]]]
 </synopsis>
          <replaceable>scope</replaceable> must be one
          of <literal>base</literal>, <literal>one</literal>, <literal>sub</literal>,
@@ -1537,8 +1537,6 @@ <title>LDAP Authentication</title>
          <literal>ldapsearchfilter</literal>.  When specifying a search filter
          as part of a URL, the special token <literal>%u</literal> standing
          for the user name must be written as <literal>%25u</literal>.
-         Some other components of standard LDAP URLs such as extensions are
-         not supported.
         </para>
 
         <para>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 6c96e87d37..c43f203eb3 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -2401,8 +2401,8 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
 static char *
 FormatSearchFilter(const char *pattern, const char *user_name)
 {
-	Size user_name_size = strlen(user_name);
-	Size buffer_size = 0;
+	size_t user_name_size = strlen(user_name);
+	size_t buffer_size = 0;
 	const char *in;
 	char *out;
 	char *result;
@@ -2413,7 +2413,7 @@ FormatSearchFilter(const char *pattern, const char *user_name)
 	{
 		if (in[0] == '%' && in[1] == 'u')
 		{
-			buffer_size += user_name_size;
+			buffer_size += user_name_size - 2;
 			in += 2;
 		}
 		else
@@ -2486,7 +2486,7 @@ CheckLDAPAuth(Port *port)
 		char	   *filter;
 		LDAPMessage *search_message;
 		LDAPMessage *entry;
-		char	   *attributes[2];
+		char	   *attributes[] = { LDAP_NO_ATTRS, NULL };
 		char	   *dn;
 		char	   *c;
 		int			count;
@@ -2528,15 +2528,13 @@ CheckLDAPAuth(Port *port)
 			return STATUS_ERROR;
 		}
 
-		/* Fetch just one attribute, else *all* attributes are returned */
-		attributes[0] = port->hba->ldapsearchattribute ? port->hba->ldapsearchattribute : "uid";
-		attributes[1] = NULL;
-
 		/* Build a custom filter or a single attribute filter? */
-		if (port->hba->ldapsearchfilter != NULL)
+		if (port->hba->ldapsearchfilter)
 			filter = FormatSearchFilter(port->hba->ldapsearchfilter, port->user_name);
+		else if (port->hba->ldapsearchattribute)
+			filter = psprintf("(%s=%s)", port->hba->ldapsearchattribute, port->user_name);
 		else
-			filter = psprintf("(%s=%s)", attributes[0], port->user_name);
+			filter = psprintf("(uid=%s)", port->user_name);
 
 		r = ldap_search_s(ldap,
 						  port->hba->ldapbasedn,
-- 
2.11.0 (Apple Git-81)