From: | Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Cc: | Mark Cave-Ayland <mark(dot)cave-ayland(at)ilande(dot)co(dot)uk>, Magnus Hagander <magnus(at)hagander(dot)net>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: More flexible LDAP auth search filters? |
Date: | 2017-09-12 03:58:52 |
Message-ID: | CAEepm=194wxys-1wNPcvmWhLhWQX9jq6kr-uEAfbu33vfYsB2Q@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Sep 12, 2017 at 7:21 AM, Peter Eisentraut
<peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> On 9/8/17 13:24, Mark Cave-Ayland wrote:
>> My weapon of choice for LDAP deployments on POSIX-based systems is
>> Arthur De Jong's nss-pam-ldapd (https://arthurdejong.org/nss-pam-ldapd)
>> which is far more flexible than pam_ldap and fixes a large number of
>> bugs, including the tendency for pam_ldap to hang infinitely if it can't
>> contact its LDAP server.
>>
>> Take a look at nss-pam-ldapd's man page for nslcd.conf and in particular
>> pam_authz_search - this is exactly the type of filters I would end up
>> deploying onto servers. This happens a lot in large organisations
>> whereby getting group memberships updated in the main directory can take
>> days/weeks whereas someone with root access to the server itself can
>> hard-code an authentication list of users and/or groups in an LDAP
>> filter in just a few minutes.
>
> Thomas, would you consider using the placeholder syntax described at
> <https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5> under
> pam_authz_search?
Sounds good. Here it is with $username. It's nice not to have to
escape any characters in URLs. I suppose more keywords could be added
in follow-up patches if someone thinks that would be useful
($hostname, $dbname, ...?). I got sick of that buffer sizing code and
changed it to use StringInfo. Here also are your test patches tweaked
slightly: 0002 just adds FreeBSD support as per previous fixup and
0003 changes to $username.
--
Thomas Munro
http://www.enterprisedb.com
Attachment | Content-Type | Size |
---|---|---|
0001-Allow-custom-search-filters-to-be-configured-for-LDA.patch | application/octet-stream | 11.0 KB |
0002-Add-LDAP-authentication-test-suite.patch | application/octet-stream | 8.0 KB |
0003-Add-tests-for-ldapsearchfilter-functionality.patch | application/octet-stream | 3.6 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Kyotaro HORIGUCHI | 2017-09-12 04:14:41 | Re: WAL logging problem in 9.4.3? |
Previous Message | Haribabu Kommi | 2017-09-12 03:36:37 | Re: pg_stat_wal_write statistics view |