The following bug has been logged on the website:
Bug reference: 13625
Logged by: rysiek
Email address: rysiek@hackerspace.pl
PostgreSQL version: 9.4.4
Operating system: Debian GNU/Linux
Description:
PostgreSQL does not seem to support LDAP connections via UNIX sockets, due
to
use of deprecated function `ldap_init()`.
The documentation contains ample information on connecting to LDAP:
http://www.postgresql.org/docs/9.4/static/auth-methods.html#AUTH-LDAP
However, there seems no way of providing a UNIX socket path for connection.
Combinations tried:
ldapurl="ldap:///var/run/slapd/ldapi/dc=example,dc=com?cn"
ldapurl="ldap://%2fvar%2frun%2fslapd%2fldapi/dc=example,dc=com?cn"
ldapurl="ldap://%x2fvar%x2frun%x2fslapd%x2fldapi/dc=example,dc=com?cn"
ldapurl="ldapi:///var/run/slapd/ldapi/dc=example,dc=com?cn"
ldapurl="ldapi://%2fvar%2frun%2fslapd%2fldapi/dc=example,dc=com?cn"
ldapurl="ldapi://%x2fvar%x2frun%x2fslapd%x2fldapi/dc=example,dc=com?cn"
ldapserver="/var/run/slapd/ldapi"
ldapserver="%2fvar%2frun%2fslapd%2fldapi"
ldapserver="%x2fvar%x2frun%x2fslapd%x2fldapi"
ldapserver="ldapi:///var/run/slapd/ldapi"
ldapserver="ldapi://%2fvar%2frun%2fslapd%2fldapi"
ldapserver="ldapi://%x2fvar%x2frun%x2fslapd%x2fldapi"
Some of these cause PostgreSQL not to start at all, either with exit code 1
or
139; some fail when authentication is required, either with "LOG: could
not
initialize LDAP: No such file or directory" or " LOG: could not perform
initial LDAP bind for ldapbinddn "(null)" on server "/var/run/slapd/ldapi":
Can't contact LDAP server"
The socket does exist and `ldapsearch` utility successfuly connects and
retrieves data from the LDAP server.
PostgreSQL uses `ldap_init()` function in code;
http://git.postgresql.org/gitweb/?p=postgresql.git&a=search&h=HEAD&st=grep&s=ldap_init
This function is, however, deprecated:
http://www.openldap.org/software//man.cgi?query=ldap_init&sektion=3&apropos=0&manpath=OpenLDAP+2.4-Release
"At this time, ldap_open() and ldap_init() are deprecated in favor of
ldap_initialize(), essentially because the latter allows to specify a
schema
in the URI and it explicitly returns an error code."
Switching to `ldap_initialize()` would not only mean that a deprecated
function
is not used anymore, but also would allow PostgreSQL to utilize UNIX socket
LDAP connections.
--
Regards,
MichaŠ"rysiek" Woźniak
http://rys.io/