diff options
| author | Magnus Hagander <magnus@hagander.net> | 2009-12-12 21:35:21 +0000 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2009-12-12 21:35:21 +0000 |
| commit | 0182d6f646997e486f56f847001ff74694bdd7da (patch) | |
| tree | 49487ab29c3deb7e84f2b3d1f1f5a47832ff4fa9 /src/backend/libpq/hba.c | |
| parent | a4e035b2f1313b268dc6b8a1ff908cdd5ad96625 (diff) | |
Allow LDAP authentication to operate in search+bind mode, meaning it
does a search for the user in the directory first, and then binds with
the DN found for this user.
This allows for LDAP logins in scenarios where the DN of the user cannot
be determined simply by prefix and suffix, such as the case where different
users are located in different containers.
The old way of authentication can be significantly faster, so it's kept
as an option.
Robert Fleming and Magnus Hagander
Diffstat (limited to 'src/backend/libpq/hba.c')
| -rw-r--r-- | src/backend/libpq/hba.c | 53 |
1 files changed, 52 insertions, 1 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index a51ea53082b..65d5beadd3f 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -10,7 +10,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.192 2009/10/03 20:04:39 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.193 2009/12/12 21:35:21 mha Exp $ * *------------------------------------------------------------------------- */ @@ -1103,6 +1103,26 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline) return false; } } + else if (strcmp(token, "ldapbinddn") == 0) + { + REQUIRE_AUTH_OPTION(uaLDAP, "ldapbinddn", "ldap"); + parsedline->ldapbinddn = pstrdup(c); + } + else if (strcmp(token, "ldapbindpasswd") == 0) + { + REQUIRE_AUTH_OPTION(uaLDAP, "ldapbindpasswd", "ldap"); + parsedline->ldapbindpasswd = pstrdup(c); + } + else if (strcmp(token, "ldapsearchattribute") == 0) + { + REQUIRE_AUTH_OPTION(uaLDAP, "ldapsearchattribute", "ldap"); + parsedline->ldapsearchattribute = pstrdup(c); + } + else if (strcmp(token, "ldapbasedn") == 0) + { + REQUIRE_AUTH_OPTION(uaLDAP, "ldapbasedn", "ldap"); + parsedline->ldapbasedn = pstrdup(c); + } else if (strcmp(token, "ldapprefix") == 0) { REQUIRE_AUTH_OPTION(uaLDAP, "ldapprefix", "ldap"); @@ -1156,6 +1176,37 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline) if (parsedline->auth_method == uaLDAP) { MANDATORY_AUTH_ARG(parsedline->ldapserver, "ldapserver", "ldap"); + + /* + * LDAP can operate in two modes: either with a direct bind, using + * ldapprefix and ldapsuffix, or using a search+bind, + * using ldapbasedn, ldapbinddn, ldapbindpasswd and ldapsearchattribute. + * Disallow mixing these parameters. + */ + if (parsedline->ldapprefix || parsedline->ldapsuffix) + { + if (parsedline->ldapbasedn || + parsedline->ldapbinddn || + parsedline->ldapbindpasswd || + parsedline->ldapsearchattribute) + { + ereport(LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd or ldapsearchattribute together with ldapprefix"), + errcontext("line %d of configuration file \"%s\"", + line_num, HbaFileName))); + return false; + } + } + else if (!parsedline->ldapbasedn) + { + ereport(LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\" or \"ldapsuffix\" to be set"), + errcontext("line %d of configuration file \"%s\"", + line_num, HbaFileName))); + return false; + } } /* |