Re: pgsql: Allow ldaps when using ldap authentication

From: Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: pgsql-committers <pgsql-committers(at)postgresql(dot)org>
Subject: Re: pgsql: Allow ldaps when using ldap authentication
Date: 2018-01-03 21:24:43
Message-ID: CAEepm=2=wnbjVtARnO0513w0rW9FWS7yZ3ZNz6VYTr4-j-aSAQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers

On Thu, Jan 4, 2018 at 9:07 AM, Thomas Munro
<thomas(dot)munro(at)enterprisedb(dot)com> wrote:
> On Thu, Jan 4, 2018 at 4:14 AM, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
>> Allow ldaps when using ldap authentication
>
> Other Windows systems seem OK with this, but baiji said:
>
> .\src\backend\libpq\auth.c(2538): error C2065: 'LDAPS_PORT' :
> undeclared identifier
>
> Checking where that's supposed to come from...

Windows documentation talks about LDAP_SSL_PORT instead. I assume
that "Vista Ultimate 6.0.6000 MSVC 2005 Pro 8.0.50727.867" doesn't
define LDAPS_PORT, but some later version added it for compatibility
with OpenLDAP. Let's just define it ourselves if it's undefined as we
did for some other LDAP macros, since its value is well known (it's an
IANA-registered port). See attached.

While poking around in the documentation, I came across this
surprising sentence[1]: "Be aware that even if the secure parameter is
set to zero, if the PortNumber parameter is set to LDAP_SSL_PORT (636)
or to LDAP_SSL_GC_PORT (3269), an encrypted session is initiated."
Huh. That wasn't mentioned on the main page for the function[2] and
I don't like it, because it means that the same connection string
could have a different meaning on Windows and Unix. So I also propose
that we also tweak the code to prevent that.

I don't have a Windows system myself, but this builds OK on Appveyor CI.

[1] https://msdn.microsoft.com/en-us/library/aa367031(v=vs.85).aspx
[2] https://msdn.microsoft.com/en-us/library/aa366996(v=vs.85).aspx

--
Thomas Munro
http://www.enterprisedb.com

Attachment Content-Type Size
tweak-ldaps-windows.patch application/octet-stream 1.7 KB

In response to

Responses

Browse pgsql-committers by date

  From Date Subject
Next Message Alvaro Herrera 2018-01-03 21:31:56 Re: pgsql: Fix deadlock hazard in CREATE INDEX CONCURRENTLY
Previous Message Alvaro Herrera 2018-01-03 21:24:41 pgsql: Revert "Fix isolation test to be less timing-dependent"