Re: BUG #3123: Problem with LDAP auth strings

I have researched this and the incorrect behavior seems to be totally
caused by the fact that unquoted commas are treated as item separators
in pg_hba.conf.

I have updated the documentation in 8.2 and CVS HEAD to indicate that
the LDAP URL should be double-quoted, and double-quoted the example URL
for emphasis.

If double-quoting does not 100% fix your problem, please let us know.
Thanks.

Documentation patch attached.

---------------------------------------------------------------------------

Brian Topping wrote:
>
> The following bug has been logged online:
>
> Bug reference:      3123
> Logged by:          Brian Topping
> Email address:      topping@codehaus.org
> PostgreSQL version: 8.2
> Operating system:   Linux
> Description:        Problem with LDAP auth strings
> Details:
>
> http://www.mail-archive.com/pgsql-general@postgresql.org/msg92652.html
> outlines a bit of it.
>
> The options to the ldap auth method in pg_hba.conf doesn't work properly.
> The dn base is completely ignored, and the suffix has all the commas parsed
> out of it for some reason.
>
> If it were working correctly, the base dn would be concatenated with the
> prefix and the username to create the correct DN to send to the server.  The
> suffix should not strictly be necessary.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend

--
  Bruce Momjian  <bruce@momjian.us>          http://momjian.us
  EnterpriseDB                               http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.97
diff -c -c -r1.97 client-auth.sgml
*** doc/src/sgml/client-auth.sgml    31 Jan 2007 20:56:16 -0000    1.97
--- doc/src/sgml/client-auth.sgml    24 Mar 2007 21:44:29 -0000
***************
*** 929,937 ****
      <synopsis>
  ldap[<replaceable>s</>]://<replaceable>servername</>[:<replaceable>port</>]/<replaceable>base
dn</replaceable>[;<replaceable>prefix</>[;<replaceable>suffix</>]]
      </synopsis>
!     for example:
      <synopsis>
! ldap://ldap.example.net/dc=example,dc=net;EXAMPLE\
      </synopsis>

     </para>
--- 929,941 ----
      <synopsis>
  ldap[<replaceable>s</>]://<replaceable>servername</>[:<replaceable>port</>]/<replaceable>base
dn</replaceable>[;<replaceable>prefix</>[;<replaceable>suffix</>]]
      </synopsis>
!     Commas are used to specify multiple items in an <literal>ldap</>
!     component.  However, because unquoted commas are treated as item
!     separators in <filename>pg_hba.conf</filename>, it is wise to
!     double-quote the <literal>ldap</> URL to preserve any commas present,
!     e.g.:
      <synopsis>
! "ldap://ldap.example.net/dc=example,dc=net;EXAMPLE\"
      </synopsis>

     </para>