Re: LDAP where DN does not include UID attribute

On Thu, Sep 17, 2009 at 18:02, Robert Fleming <fleminra(at)gmail(dot)com> wrote:
> Following a discussion on the pgsql-admin list
> <http://archives.postgresql.org/pgsql-admin/2009-09/msg00075.php>, I have
> created a patch to (optionally) allow PostgreSQL to do a LDAP search to
> determine the user's DN (as is done in Apache, MediaWiki, Bugzilla, et al.)
> instead of building the DN from a prefix and suffix.
> This is necessary for schemas where the login attribute is not in the DN,
> such as is described here
> <http://www.ldapman.org/articles/intro_to_ldap.html#individual> (look for
> "name-based").  This patch is against PostgreSQL 8.4.0 from Debian
> Lenny-backports.  If this would be a welcome addition, I can port it forward
> to the latest from postgresql.org.
> Thanks in advance for your feedback.

This sounds like a very useful feature, and one that I can then remove
from my personal TODO list without having to do much work :-)

A couple of comments:

First of all, please read up on the PostgreSQL coding style, or at
least look at the code around yours. This doesn't look anything like
our standards.

Second, this appears to require an anonymous bind to the directory,
which is something we should not encourage people to enable on their
LDAP servers. I think we need to also take parameters with a DN and a
password to bind with in order to do the search, and then re-bind as
the user when found.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/