| From: | Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com> |
|---|---|
| To: | Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | More flexible LDAP auth search filters? |
| Date: | 2017-07-13 07:31:51 |
| Message-ID: | CAEepm=0XTkYvMci0WRubZcf_1am8=gP=7oJErpsUfRYcKF2gwg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi hackers,
A customer asked how to use pg_hba.conf LDAP search+bind
authentication to restrict logins to users in one of a small number of
groups. ldapsearchattribute only lets you make filters like
"(foo=username)", so it couldn't be done. Is there any reason we
should allow a more general kind of search filter constructions?
A post on planet.postgresql.org today reminded me that a colleague had
asked me to post this POC patch here for discussion. It allows custom
filters with ldapsearchprefix and ldapsearchsuffix. Another approach
might be to take a filter pattern with "%USERNAME%" or whatever in it.
There's an existing precedent for the prefix and suffix approach, but
on the other hand a pattern approach would allow filters where the
username is inserted more than once.
Motivating example:
ldapsearchprefix="(&(cn="
ldapsearchsuffix = ")(|(memberof=cn=Paris DBA
Team)(memberof=cn=Tokyo DBA Team))"
Note that with this patch ldapsearchattribute=cn is equivalent to:
ldasearchprefix="(cn="
ldapsearchsuffix=")"
Perhaps there are better ways to organise your LDAP servers so that
this sort of thing isn't necessary. I don't know. Thoughts?
--
Thomas Munro
http://www.enterprisedb.com
| Attachment | Content-Type | Size |
|---|---|---|
| ldap-search-filters-v1.patch | application/octet-stream | 8.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dean Rasheed | 2017-07-13 08:19:28 | Re: Multi column range partition table |
| Previous Message | Masahiko Sawada | 2017-07-13 07:22:09 | Fix a typo in pg_upgrade/info.c |