Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS

stephen layland <steve@68k.org> writes:
> I've written a quick patch against the head branch (8.4DEV, but it also
> works with 8.1.3 sources) to fix LDAP authentication support to
> work with LDAPS servers that do not need start TLS.   I'd be interested
> to hear your opinions on this.

Not being an LDAP user, I'm not very qualified to comment on the details
here, but ...

>     My solution was to create a boolean config variable called
>     ldap_use_start_tls which the user can toggle whether or not
>     start tls is necessary.

... I really don't like using a GUC variable to determine the
interpretation of entries in pg_hba.conf.  A configuration file exists
to set configuration, it shouldn't need help from a distance.  Also,
doing it this way means that if several different LDAP servers are
referenced in different pg_hba.conf entries, they'd all have to have
the same encryption behavior.

I think a better idea is to embed the flag in the pg_hba.conf entry
itself.  Perhaps something like "ldapso:" instead of "ldaps:" to
indicate "old" secure ldap protocol, or include another parameter
in the URL body.
        regards, tom lane