Re: BUG #3095: LDAP authentication parsing incorrectly

On Thu, Mar 01, 2007 at 09:48:34PM +0000, Joey Wang wrote:
>
> The following bug has been logged online:
>
> Bug reference:      3095
> Logged by:          Joey Wang
> Email address:      jwang@sentillion.com
> PostgreSQL version: 8.2.3
> Operating system:   Linux
> Description:        LDAP authentication parsing incorrectly
> Details:
>
> LDAP authentication parsing has two bugs.
>
> When pg_hba.conf contains the a line
>
> host all all 127.0.0.1/24 ldap
> ldap://ActiveDirectory/dc=domain,dc=com;cn=;,cn=users
>
> We expect the parsing will construct a user DN as
>
> cn=userid,cn=users,dc=domain,dc=com
>
> But
>
> (1) dc=domain,dc=com is ignored. This is the src code from auth.c:
>
> .....
>
> /* ldap, no port number */
> r = sscanf(port->auth_arg,                  "ldap://%127[^/]/%127[^;];%127[^;];%127s",
>    server, basedn, prefix, suffix);
>
> .....
>
> snprintf(fulluser, sizeof(fulluser), "%s%s%s",
>      prefix, port->user_name, suffix);
> fulluser[sizeof(fulluser) - 1] = '\0';
>
> r = ldap_simple_bind_s(ldap, fulluser, passwd);
>
> We can see the code did not use basedn.

That is indeed so. IIRC, that was actually intentional, to make it
possible to use suffix-less binding (such as EXAMPLE\account for
ActiveDirectory, using the NT domain name instead of the LDAP dn). Does
kind of make the base dn unnecessary ;-)


> (2) suffix containing ',' is converted to other character. This bug is
> caused by parsing algrithm to treat comma as a token separator.

For some reason, I can't get my AD to accept my LDAP connection on my
test machine - it keeps bitching about certificates and such.
Anwyay. Does it not work if you quote the LDAP url? I *think* that is
permitted...

//Magnus