| From: | Peter Eisentraut <peter(at)eisentraut(dot)org> |
|---|---|
| To: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Document use of ldapurl with LDAP simple bind |
| Date: | 2024-06-28 07:11:42 |
| Message-ID: | 99058de4-bf2a-497a-91a3-537228ad143f@eisentraut.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 24.05.24 20:54, Jacob Champion wrote:
> Our documentation implies that the ldapurl setting in pg_hba is used
> for search+bind mode only. It was pointed out to me recently that this
> is not true, and if you're dealing with simple bind on a non-standard
> scheme or port, then ldapurl makes the HBA easier to read:
>
> ... ldap ldapurl="ldaps://ldap.example.net:49151" ldapprefix="cn="
> ldapsuffix=", dc=example, dc=net"
>
> 0001 tries to document this helpful behavior a little better, and 0002
> pins it with a test. WDYT?
Yes, this looks correct. Since ldapurl is really just a shorthand that
is expanded to various other parameters, it makes sense that it would
work for simple bind as well.
hba.c has this error message:
"cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute,
ldapsearchfilter, or ldapurl together with ldapprefix"
This appears to imply that specifying ldapurl is only applicable for
search+bind. Maybe that whole message should be simplified to something
like
"configuration mixes arguments for simple bind and search+bind"
(The old wording also ignores that the error might arise via "ldapsuffix".)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Richard Guo | 2024-06-28 07:21:35 | Re: Support "Right Semi Join" plan shapes |
| Previous Message | Philippe BEAUDOIN | 2024-06-28 07:06:40 | Re: Adminpack removal |