From f68d85bf69233ef842a08707bbd1204ef8216549 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Tue, 23 Jul 2024 10:14:38 +0200 Subject: ldapurl is supported with simple bind The docs currently imply that ldapurl is for search+bind only, but that's not true. Rearrange the docs to cover this better. Add a test ldapurl with simple bind. This was previously allowed but unexercised, and now that it's documented it'd be good to pin the behavior. Improve error when mixing LDAP bind modes. The option names had gone stale; replace them with a more general statement. Author: Jacob Champion Discussion: https://www.postgresql.org/message-id/flat/CAOYmi+nyg9gE0LeP=xQ3AgyQGR=5ZZMkVVbWd0uR8XQmg_dd5Q@mail.gmail.com --- src/backend/libpq/hba.c | 4 ++-- src/test/ldap/t/001_auth.pl | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 18271def2e8..75d588e36a1 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1907,10 +1907,10 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel) { ereport(elevel, (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"), + errmsg("cannot mix options for simple bind and search+bind modes"), errcontext("line %d of configuration file \"%s\"", line_num, file_name))); - *err_msg = "cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"; + *err_msg = "cannot mix options for simple bind and search+bind modes"; return NULL; } } diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl index 850db34503f..43e029921ca 100644 --- a/src/test/ldap/t/001_auth.pl +++ b/src/test/ldap/t/001_auth.pl @@ -145,6 +145,22 @@ test_access($node, 'test1', 0, 'search+bind authentication succeeds'); note "LDAP URLs"; +unlink($node->data_dir . '/pg_hba.conf'); +$node->append_conf('pg_hba.conf', + qq{local all all ldap ldapurl="$ldap_url" ldapprefix="uid=" ldapsuffix=",dc=example,dc=net"} +); +$node->restart; + +$ENV{"PGPASSWORD"} = 'wrong'; +test_access($node, 'test0', 2, + 'simple bind with LDAP URL authentication fails if user not found in LDAP' +); +test_access($node, 'test1', 2, + 'simple bind with LDAP URL authentication fails with wrong password'); +$ENV{"PGPASSWORD"} = 'secret1'; +test_access($node, 'test1', 0, + 'simple bind with LDAP URL authentication succeeds'); + unlink($node->data_dir . '/pg_hba.conf'); $node->append_conf('pg_hba.conf', qq{local all all ldap ldapurl="$ldap_url/$ldap_basedn?uid?sub"}); -- cgit v1.2.3