| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: So, what's the "base dn" in an LDAP URL again? |
| Date: | 2008-08-01 11:57:26 |
| Message-ID: | 4892FA26.30706@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> The fine manual claims that the "base dn" part of an LDAP URL
> is meaningful:
>
> The server will bind to the distinguished name specified as base
> dn using the user name supplied by the client. If prefix and
> suffix is specified, it will be prepended and appended to the
> user name before the bind.
>
> But looking at CheckLDAPAuth() just now, it doesn't do anything at all
> with the basedn part of the string. Seems to me this is either a code
> bug or a docs bug.
I think it's a docs bug. You don't "bind to the dn...". You bind *with*
a DN, and that one is made of out of <prefix><username><suffix>.
IIRC, my original intent was for it to bind using that and then attempt
to access the location specified by basedn, so one could set permissions
on that object. But I never did implement that - and even if I did, the
docs would still be wrong.
So, the docs should be fixed - I'll take a look at that.
It does mean that basedn isn't used, and could be removed. But we're
obviously not going to do that in a backbranch, since it'd change the
syntax. As for HEAD, I'd leave it in as well, since the changes I'm
working on for pg_hba parameters will likely make the syntax change
anyway - and there's no point in doing it twice. Seems fair?
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2008-08-01 11:59:27 | Re: pg crashing |
| Previous Message | Magnus Hagander | 2008-08-01 09:41:37 | Re: Plans for 8.4 |