On Fri, Feb 9, 2018 at 4:05 PM, Peter Eisentraut
<peter.eisentraut@2ndquadrant.com> wrote:
> After the LDAP code was switched to use ldap_initialize() as part of the
> ldaps support, ldapi (LDAP over Unix-domain sockets) also works. I
> noticed an old bug report (#13625) that asked for it. So I suggest this
> patch to document this and add some tests.
>
> One flaw is that this only works when using the URL syntax. Providing a
> separate option would require coding URL escaping, since ultimately an
> URL must be composed and passed to ldap_initialize(). But since
> OpenLDAP apparently now considers URLs to be the preferred form for
> connection parameters, I'm comfortable just sticking to that format.
Nice. The test doesn't actually succeed in reloading the pg_hba.conf
file though:
2018-02-09 16:41:15.886 NZDT [24472] LOG: received SIGHUP, reloading
configuration files
2018-02-09 16:41:15.893 NZDT [24472] LOG: unsupported LDAP URL scheme: ldapi
2018-02-09 16:41:15.893 NZDT [24472] LOG: pg_hba.conf was not reloaded
I think hba.c needs to learn to consider "ldapi" to be acceptable
(after it parses the URL). Then I think when
InitializeLDAPConnection() reconstitutes the URL with psprintf, it'll
probably need to avoid sticking :port on the end.
The fact that we take the URL to pieces and then stick it back
together again may seem a bit odd, but it is required by the
documentation (ldap_initialize() wants a URL "containing only the
schema, the host, and the port fields").
I see there is another scheme called "cldap" (which seems to be
something like LDAP over UDP). I wonder if anyone cares about that.
--
Thomas Munro
http://www.enterprisedb.com