From 0182d6f646997e486f56f847001ff74694bdd7da Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Sat, 12 Dec 2009 21:35:21 +0000
Subject: Allow LDAP authentication to operate in search+bind mode, meaning it
 does a search for the user in the directory first, and then binds with the DN
 found for this user.

This allows for LDAP logins in scenarios where the DN of the user cannot
be determined simply by prefix and suffix, such as the case where different
users are located in different containers.

The old way of authentication can be significantly faster, so it's kept
as an option.

Robert Fleming and Magnus Hagander
---
 doc/src/sgml/client-auth.sgml | 80 ++++++++++++++++++++++++++++++++++++-------
 1 file changed, 68 insertions(+), 12 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 6442aa1efed..e1d8c9503b5 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.124 2009/10/01 01:58:57 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.125 2009/12/12 21:35:21 mha Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -1202,7 +1202,8 @@ omicron       bryanh            guest1
    </para>
 
    <para>
-    The server will bind to the distinguished name constructed as
+    LDAP authentication can operate in two modes. In the first mode,
+    the server will bind to the distinguished name constructed as
     <replaceable>prefix</> <replaceable>username</> <replaceable>suffix</>.
     Typically, the <replaceable>prefix</> parameter is used to specify
     <literal>cn=</>, or <replaceable>DOMAIN</><literal>\</> in an Active
@@ -1210,6 +1211,23 @@ omicron       bryanh            guest1
     remaining part of the DN in a non-Active Directory environment.
    </para>
 
+   <para>
+    In the second mode, the server first binds to the LDAP directory with
+    a fixed username and password, specified with <replaceable>ldapbinduser</>
+    and <replaceable>ldapbinddn</>, and performs a search for the user trying
+    to log in to the database. If no user and password is configured, an
+    anonymous bind will be attempted to the directory. The search will be
+    performed over the subtree at <replaceable>ldapbasedn</>, and will try to
+    do an exact match of the attribute specified in
+    <replaceable>ldapsearchattribute</>. If no attribute is specified, the
+    <literal>uid</> attribute will be used. Once the user has been found in
+    this search, the server disconnects and re-binds to the directory as
+    this user, using the password specified by the client, to verify that the
+    login is correct. This method allows for significantly more flexibility
+    in where the user objects are located in the directory, but will cause
+    two separate connections to the LDAP server to be made.
+   </para>
+
    <para>
     The following configuration options are supported for LDAP:
     <variablelist>
@@ -1221,11 +1239,32 @@ omicron       bryanh            guest1
        </para>
       </listitem>
      </varlistentry>
+     <varlistentry>
+      <term><literal>ldapport</literal></term>
+      <listitem>
+       <para>
+        Port number on LDAP server to connect to. If no port is specified,
+        the default port in the LDAP library will be used.
+       </para>
+      </listitem>
+     </varlistentry>
+     <varlistentry>
+      <term><literal>ldaptls</literal></term>
+      <listitem>
+       <para>
+        Set to <literal>1</> to make the connection between PostgreSQL and the
+        LDAP server use TLS encryption. Note that this only encrypts
+        the traffic to the LDAP server &mdash; the connection to the client
+        will still be unencrypted unless SSL is used.
+       </para>
+      </listitem>
+     </varlistentry>
      <varlistentry>
       <term><literal>ldapprefix</literal></term>
       <listitem>
        <para>
-        String to prepend to the username when forming the DN to bind as.
+        String to prepend to the username when forming the DN to bind as,
+        when doing simple bind authentication.
        </para>
       </listitem>
      </varlistentry>
@@ -1233,30 +1272,47 @@ omicron       bryanh            guest1
       <term><literal>ldapsuffix</literal></term>
       <listitem>
        <para>
-        String to append to the username when forming the DN to bind as.
+        String to append to the username when forming the DN to bind as,
+        when doing simple bind authentication.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
-      <term><literal>ldapport</literal></term>
+      <term><literal>ldapbasedn</literal></term>
       <listitem>
        <para>
-        Port number on LDAP server to connect to. If no port is specified,
-        the default port in the LDAP library will be used.
+        DN to root the search for the user in, when doing search+bind
+        authentication.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
-      <term><literal>ldaptls</literal></term>
+      <term><literal>ldapbinddn</literal></term>
       <listitem>
        <para>
-        Set to <literal>1</> to make the connection between PostgreSQL and the
-        LDAP server use TLS encryption. Note that this only encrypts
-        the traffic to the LDAP server &mdash; the connection to the client
-        will still be unencrypted unless SSL is used.
+        DN of user to bind to the directory with to perform the search when
+        doing search+bind authentication.
        </para>
       </listitem>
      </varlistentry>
+     <varlistentry>
+      <term><literal>ldapbindpasswd</literal></term>
+      <listitem>
+       <para>
+        Password for user to bind to the directory with to perform the search
+        when doing search+bind authentication.
+       </para>
+      </listitem>
+      </varlistentry>
+      <varlistentry>
+       <term><literal>ldapsearchattribute</literal></term>
+       <listitem>
+        <para>
+         Attribute to match against the username in the search when doing
+         search+bind authentication.
+        </para>
+       </listitem>
+      </varlistentry>
     </variablelist>
    </para>
 
-- 
cgit v1.2.3