diff options
| author | Thomas Munro <tmunro@postgresql.org> | 2019-03-21 15:19:03 +1300 |
|---|---|---|
| committer | Thomas Munro <tmunro@postgresql.org> | 2019-03-21 15:28:17 +1300 |
| commit | 0f086f84ad9041888b789af5871c7432f0e19c5b (patch) | |
| tree | e5423d372a6b2ee5077235f656eb00d3d8f39337 /doc/src | |
| parent | 8aa9dd74b36757342b6208fbfebb5b35c2d67c53 (diff) | |
Add DNS SRV support for LDAP server discovery.
LDAP servers can be advertised on a network with RFC 2782 DNS SRV
records. The OpenLDAP command-line tools automatically try to find
servers that way, if no server name is provided by the user. Teach
PostgreSQL to do the same using OpenLDAP's support functions, when
building with OpenLDAP.
For now, we assume that HAVE_LDAP_INITIALIZE (an OpenLDAP extension
available since OpenLDAP 2.0 and also present in Apple LDAP) implies
that you also have ldap_domain2hostlist() (which arrived in the same
OpenLDAP version and is also present in Apple LDAP).
Author: Thomas Munro
Reviewed-by: Daniel Gustafsson
Discussion: https://postgr.es/m/CAEepm=2hAnSfhdsd6vXsM6VZVN0br-FbAZ-O+Swk18S5HkCP=A@mail.gmail.com
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 411f1e16794..c7e4d3817f1 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1655,7 +1655,8 @@ ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<rep </para> <para> - LDAP URLs are currently only supported with OpenLDAP, not on Windows. + LDAP URLs are currently only supported with + <productname>OpenLDAP</productname>, not on Windows. </para> </listitem> </varlistentry> @@ -1679,6 +1680,15 @@ ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<rep </para> <para> + If <productname>PostgreSQL</productname> was compiled with + <productname>OpenLDAP</productname> as the LDAP client library, the + <literal>ldapserver</literal> setting may be omitted. In that case, a + list of hostnames and ports is looked up via RFC 2782 DNS SRV records. + The name <literal>_ldap._tcp.DOMAIN</literal> is looked up, where + <literal>DOMAIN</literal> is extracted from <literal>ldapbasedn</literal>. + </para> + + <para> Here is an example for a simple-bind LDAP configuration: <programlisting> host ... ldap ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=example, dc=net" @@ -1723,6 +1733,15 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse </programlisting> </para> + <para> + Here is an example for a search+bind configuration that uses DNS SRV + discovery to find the hostname(s) and port(s) for the LDAP service for the + domain name <literal>example.net</literal>: +<programlisting> +host ... ldap ldapbasedn="dc=example,dc=net" +</programlisting> + </para> + <tip> <para> Since LDAP often uses commas and spaces to separate the different |