The following bug has been logged online:
Bug reference: 3095
Logged by: Joey Wang
Email address: jwang@sentillion.com
PostgreSQL version: 8.2.3
Operating system: Linux
Description: LDAP authentication parsing incorrectly
Details:
LDAP authentication parsing has two bugs.
When pg_hba.conf contains the a line
host all all 127.0.0.1/24 ldap
ldap://ActiveDirectory/dc=domain,dc=com;cn=;,cn=users
We expect the parsing will construct a user DN as
cn=userid,cn=users,dc=domain,dc=com
But
(1) dc=domain,dc=com is ignored. This is the src code from auth.c:
.....
/* ldap, no port number */
r = sscanf(port->auth_arg, "ldap://%127[^/]/%127[^;];%127[^;];%127s",
server, basedn, prefix, suffix);
.....
snprintf(fulluser, sizeof(fulluser), "%s%s%s",
prefix, port->user_name, suffix);
fulluser[sizeof(fulluser) - 1] = '\0';
r = ldap_simple_bind_s(ldap, fulluser, passwd);
We can see the code did not use basedn.
(2) suffix containing ',' is converted to other character. This bug is
caused by parsing algrithm to treat comma as a token separator.