Re: So, what's the "base dn" in an LDAP URL again?

Tom Lane wrote:
> The fine manual claims that the "base dn" part of an LDAP URL
> is meaningful:
> 
>     The server will bind to the distinguished name specified as base
>     dn using the user name supplied by the client. If prefix and
>     suffix is specified, it will be prepended and appended to the
>     user name before the bind.
> 
> But looking at CheckLDAPAuth() just now, it doesn't do anything at all
> with the basedn part of the string.  Seems to me this is either a code
> bug or a docs bug.

I think it's a docs bug. You don't "bind to the dn...". You bind *with*
a DN, and that one is made of out of <prefix><username><suffix>.

IIRC, my original intent was for it to bind using that and then attempt
to access the location specified by basedn, so one could set permissions
on that object. But I never did implement that - and even if I did, the
docs would still be wrong.

So, the docs should be fixed - I'll take a look at that.

It does mean that basedn isn't used, and could be removed. But we're
obviously not going to do that in a backbranch, since it'd change the
syntax. As for HEAD, I'd leave it in as well, since the changes I'm
working on for pg_hba parameters will likely make the syntax change
anyway - and there's no point in doing it twice. Seems fair?

//Magnus