Re: BUG #15495: Ldap authentication not working with multiple serverin Postgresql 11

On Sat, Nov 10, 2018 at 8:28 AM Thomas Munro
<thomas.munro@enterprisedb.com> wrote:
> On Sat, Nov 10, 2018 at 4:48 AM PG Bug reporting form
> <noreply@postgresql.org> wrote:
> > The following bug has been logged on the website:
> >
> > Bug reference:      15495
> > Logged by:          Renaud Navarro
> > Email address:      rnavarro@nocibe.fr
> > PostgreSQL version: 11.1
> > Operating system:   Oracle Linux 7.5
> > Description:
> >
> > Hi
> >
> > After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
> > authentication no longer work with multiple ldap server specified.
> > The pg_hba.conf have the following line :
> > hostssl    all             all             172.20.0.0/16           ldap
> > ldapserver="dcinfrap01s.nocibe.net dcinfrap02s.nocibe.net"
> > ldapprefix="NOCIBE\" ldaptls=1 "
> > I have the following error in log file :
> > 2018-11-09 16:32:45.407 CET [29629] LOG:  could not initialize LDAP: Bad
> > parameter to an ldap routine
> > 2018-11-09 16:32:45.408 CET [29629] FATAL:  LDAP authentication failed for
> > user "admin_rnavarro"
> > If I modify the pg_hba.conf with one LDAP server, the authentication is
> > working.
> > The same entry with postgresql 10.5 work perfectly
>
> Thanks for the report.  I see the problem.  In commit
> 35c0754fadca8010955f6b10cb47af00bdbe1286 we switched from ldap_init()
> to ldap_initialize() because the newer interface supports LDAPS.  To
> do that we have to build a URI from the given protocol, server and
> port.  I overlooked the case where multiple servers are specified in
> ldapserver. If you say ldapserver="a b c" then we generate a URI
> "ldap://a b c:389", but it looks like we should instead generate a URI
> list "ldap://a:389 ldap://b:389 ldap://c:389".

Here's a draft patch.

-- 
Thomas Munro
http://www.enterprisedb.com