Re: LDAP authentication not working

On May 14, 2014 12:56 AM, "Magnus Hagander" <magnus(at)hagander(dot)net> wrote:
>
> On Wed, May 14, 2014 at 11:48 AM, Jürgen Fuchsberger <
juergen(dot)fuchsberger(at)uni-graz(dot)at> wrote:
>>
>>
>>
>> On 05/14/2014 09:10 AM, Magnus Hagander wrote:
>> > On Wed, May 14, 2014 at 8:35 AM, Stephan Fabel <sfabel(at)hawaii(dot)edu
>> > <mailto:sfabel(at)hawaii(dot)edu>> wrote:
>> >
>> > I don't think SSL support for LDAP is supported. Have you tried TLS
>> > on port 389?
>> >
>> Thanks for the hint, no wonder it does not work. Unfortunately this info
>> is not in the postgres documentation.
>
>
> It is - indirectly, in the ldapurl documentation. "To use encrypted LDAP
connections, the ldaptls option has to be used in addition to ldapurl. The
ldaps URL scheme (direct SSL connection) is not supported."

In the documentation for 9.1 ldapurl is not mentioned. That's what the OP
is using.

>> This does not work with our LDAP server (seems it is not configured to
>> support TLS)
>
> That's strangely configured. The LDAP TLS support (in the protocol) is
the standardized one, and the "SSL wrapper" mode is not in the standard.

Enabling TLS on OpenLDAP is trivial, especially if you have SSL enabled
already. Ask your SysAdmin.

> I *think* the "SSL wrapper" really is just that - wrap it in a standard
SSL connection. In which case it might work if you set up stunnel or
something like that to proxy the connection for you.

That would work, but it shouldn't be necessary. Just enable TLS in
OpenLDAP.

>> Any idea whether LDAP over SSL will be supported in future postgres
>> releases?
>
> I am not aware of any such plans, but if you (or somebody else) is
willing to write a patch, I don't see a reason it would be rejected. Even
though it's non-standard, it's fairly widespread. I recall there being a
reason it wasn't added in the first place, but I don't recall what it was.
>

I agree that it would be nice to support the LDAPS scheme in PostgreSQL as
well.

-Stephan