Quick Links

Re: More flexible LDAP auth search filters?

From:	Magnus Hagander <magnus(at)hagander(dot)net>
To:	Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com>
Cc:	Pg Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: More flexible LDAP auth search filters?
Date:	2017-07-14 11:04:18
Message-ID:	CABUevEz4rB4MHw=XF-DAPgrCFZP9jC2kFprZmWoDaJViRGmsKg@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Thu, Jul 13, 2017 at 9:31 AM, Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com
> wrote:

> Hi hackers,
>
> A customer asked how to use pg_hba.conf LDAP search+bind
> authentication to restrict logins to users in one of a small number of
> groups. ldapsearchattribute only lets you make filters like
> "(foo=username)", so it couldn't be done. Is there any reason we
> should allow a more general kind of search filter constructions?
>
> A post on planet.postgresql.org today reminded me that a colleague had
> asked me to post this POC patch here for discussion. It allows custom
> filters with ldapsearchprefix and ldapsearchsuffix. Another approach
> might be to take a filter pattern with "%USERNAME%" or whatever in it.
> There's an existing precedent for the prefix and suffix approach, but
> on the other hand a pattern approach would allow filters where the
> username is inserted more than once.
>

Do we even need prefix/suffix? If we just make it "ldapsearchpattern", then
you could have something like:

ldapsearchattribute="uid"
ldapsearchfilter="|(memberof=cn=Paris DBA Team)(memberof=cn=Tokyo DBA Team)"

We could then always to substitution of the kind:
(&(attr=<uid>)(<filter>))

which would in this case give:
(&(uid=mha)(|(memberof=cn=Paris DBA Team)(memberof=cn=Tokyo DBA Team)))

Basically we'd always AND together the username lookup with the additional
filter.

Perhaps there are better ways to organise your LDAP servers so that
> this sort of thing isn't necessary. I don't know. Thoughts?
>

I think something along this way is definitely wanted. We can argue the
syntax, but being able to filter like this is definitely useful.

(FWIW, a workaround I've applied more than once to this in AD environments
(where kerberos for one reason or other can't be done, sorry Stephen) is to
set up a RADIUS server and use that one as a "middle man". But it would be
much better if we could do it natively)

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>

In response to

More flexible LDAP auth search filters? at 2017-07-13 07:31:51 from Thomas Munro

Responses

Re: More flexible LDAP auth search filters? at 2017-07-15 23:08:42 from Thomas Munro
Re: More flexible LDAP auth search filters? at 2017-07-16 21:05:17 from Stephen Frost

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Fabien COELHO	2017-07-14 11:58:21	Re: WIP Patch: Pgbench Serialization and deadlock errors
Previous Message	Michael Paquier	2017-07-14 10:39:16	Adding -E switch to pg_dumpall