From: | Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com> |
---|---|
To: | Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: LDAPS |
Date: | 2017-11-12 21:25:07 |
Message-ID: | CAEepm=2bgziTYB5_CXTEWCB5byvyyXMqKLfEK50Wn3nRzSkqtQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sat, Nov 4, 2017 at 2:05 AM, Thomas Munro
<thomas(dot)munro(at)enterprisedb(dot)com> wrote:
> I've only tested the attached lightly on FreeBSD + OpenLDAP and
> don't know if it'll work elsewhere.
While rebasing this on top of a nearby changes, I looked into how
portable it is. The previous version unconditionally used
ldap_initialize() instead of ldap_init() in order to be able to pass
in ldap or ldaps. According to the man pages on my system:
At this time, ldap_open() and ldap_init() are deprecated in favor of
ldap_initialize(), essentially because the latter allows to specify a
schema in the URI and it explicitly returns an error code.
But:
1. It looks like ldap_initialize() arrived in OpenLDAP 2.4 (2007),
which means that it won't work with RHEL5's OpenLDAP 2.3. That's a
vintage still found in the build farm. This new version of the patch
has a configure test so it can fall back to ldap_init(), dropping
ldaps support. That is possibly also necessary for other
implementations.
2. Windows doesn't have ldap_initialize(), but it has
ldap_sslinit()[1] which adds an SSL boolean argument. I've included
(but not tested) code for that. I would need a Windows + LDAP savvy
person to help test that. I'm not sure if it should also do an
LDAP_OPT_SSL check to see if the server forced the connection back to
plaintext as shown in the Microsoft docs[2], or if that should be
considered OK, or it should be an option.
BTW, Stephen Layland posted a patch for ldaps years ago[3]. It must
have worked some other way though, because he mentions RHEL 4 and
OpenLDAP 2.2/2.3. Unfortunately the patch wasn't attached and the
referenced webserver has disappeared from the intertubes.
I've added this to the January Commitfest.
[1] https://msdn.microsoft.com/en-us/library/aa366996(v=vs.85).aspx
[2] https://msdn.microsoft.com/en-us/library/aa366105(v=vs.85).aspx
[3] https://www.postgresql.org/message-id/20080426010240.GS5734@68k.org
--
Thomas Munro
http://www.enterprisedb.com
Attachment | Content-Type | Size |
---|---|---|
ldaps-v3.patch | application/octet-stream | 12.3 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Noah Misch | 2017-11-12 22:37:48 | Re: [bug fix] postgres.exe crashes with access violation on Windows while starting up |
Previous Message | Tom Lane | 2017-11-12 20:21:45 | Re: Variable substitution in psql backtick expansion |