| From: | Graham Leggett <minfrin(at)sharp(dot)fm> |
|---|---|
| To: | Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com> |
| Cc: | Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: DNS SRV support for LDAP authentication |
| Date: | 2019-02-02 11:34:56 |
| Message-ID: | B402F59D-50BA-4E58-8BBE-768F17F76AFF@sharp.fm |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 02 Feb 2019, at 01:57, Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com> wrote:
> On Sat, Feb 2, 2019 at 9:25 AM Graham Leggett <minfrin(at)sharp(dot)fm> wrote:
>> On 25 Sep 2018, at 04:09, Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com> wrote:
>>> Some people like to use DNS SRV records to advertise LDAP servers on
>>> their network. Microsoft Active Directory is usually (always?) set up
>>> that way. Here is a patch to allow our LDAP auth module to support
>>> that kind of discovery.
>>
>> Does this support SSL/TLS?
>
> I didn't try it myself but I found several claims that it works. I
> see complaints that it always looks for _ldap._tcp and not _ldaps._tcp
> as you might expect when using ldascheme=ldaps, but that doesn't seem
> to be a big problem. As for ldaptls=1, that must work because it
> doesn't even negotiate that until after the connection is made.
If the LDAP server was bound to port 636, how would the client know to use a direct SSL/TLS connection and not STARTTLS?
Regards,
Graham
—
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2019-02-02 12:03:13 | Re: WIP: Avoid creation of the free space map for small tables |
| Previous Message | Noah Misch | 2019-02-02 08:38:22 | Spurious "apparent wraparound" via SimpleLruTruncate() rounding |