Skip to content

Commit 257ef3c

Browse files
macdicemacdice
committed
Fix handling of HBA ldapserver with multiple hostnames.
Commit 35c0754 failed to handle space-separated lists of alternative hostnames in ldapserver, when building a URI for ldap_initialize() (OpenLDAP). Such lists need to be expanded to space-separated URIs. Repair. Back-patch to 11, to fix bug report #15495. Author: Thomas Munro Reported-by: Renaud Navarro Discussion: https://postgr.es/m/15495-2c39fc196c95cd72%40postgresql.org
1 parent 6a3dcd2 commit 257ef3c

File tree

2 files changed

+54
-6
lines changed

2 files changed

+54
-6
lines changed

src/backend/libpq/auth.c

Lines changed: 37 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2352,12 +2352,44 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
23522352
#else
23532353
#ifdef HAVE_LDAP_INITIALIZE
23542354
{
2355-
char *uri;
2355+
const char *hostnames = port->hba->ldapserver;
2356+
char *uris = NULL;
23562357

2357-
uri = psprintf("%s://%s:%d", scheme, port->hba->ldapserver,
2358-
port->hba->ldapport);
2359-
r = ldap_initialize(ldap, uri);
2360-
pfree(uri);
2358+
/*
2359+
* We have a space-separated list of hostnames. Convert it
2360+
* to a space-separated list of URIs.
2361+
*/
2362+
do
2363+
{
2364+
const char *hostname;
2365+
size_t hostname_size;
2366+
char *new_uris;
2367+
2368+
/* Find the leading hostname. */
2369+
hostname_size = strcspn(hostnames, " ");
2370+
hostname = pnstrdup(hostnames, hostname_size);
2371+
2372+
/* Append a URI for this hostname. */
2373+
new_uris = psprintf("%s%s%s://%s:%d",
2374+
uris ? uris : "",
2375+
uris ? " " : "",
2376+
scheme,
2377+
hostname,
2378+
port->hba->ldapport);
2379+
2380+
pfree(hostname);
2381+
if (uris)
2382+
pfree(uris);
2383+
uris = new_uris;
2384+
2385+
/* Step over this hostname and any spaces. */
2386+
hostnames += hostname_size;
2387+
while (*hostnames == ' ')
2388+
++hostnames;
2389+
} while (*hostnames);
2390+
2391+
r = ldap_initialize(ldap, uris);
2392+
pfree(uris);
23612393
if (r != LDAP_SUCCESS)
23622394
{
23632395
ereport(LOG,

src/test/ldap/t/001_auth.pl

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66

77
if ($ENV{with_ldap} eq 'yes')
88
{
9-
plan tests => 19;
9+
plan tests => 22;
1010
}
1111
else
1212
{
@@ -179,6 +179,22 @@ sub test_access
179179
$ENV{"PGPASSWORD"} = 'secret1';
180180
test_access($node, 'test1', 0, 'search+bind authentication succeeds');
181181

182+
note "multiple servers";
183+
184+
unlink($node->data_dir . '/pg_hba.conf');
185+
$node->append_conf('pg_hba.conf',
186+
qq{local all all ldap ldapserver="$ldap_server $ldap_server" ldapport=$ldap_port ldapbasedn="$ldap_basedn"}
187+
);
188+
$node->restart;
189+
190+
$ENV{"PGPASSWORD"} = 'wrong';
191+
test_access($node, 'test0', 2,
192+
'search+bind authentication fails if user not found in LDAP');
193+
test_access($node, 'test1', 2,
194+
'search+bind authentication fails with wrong password');
195+
$ENV{"PGPASSWORD"} = 'secret1';
196+
test_access($node, 'test1', 0, 'search+bind authentication succeeds');
197+
182198
note "LDAP URLs";
183199

184200
unlink($node->data_dir . '/pg_hba.conf');

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy