Re: [HACKERS] More flexible LDAP auth search filters?

Поиск
Список
Период
Сортировка
От Magnus Hagander
Тема Re: [HACKERS] More flexible LDAP auth search filters?
Дата
Msg-id CABUevEz4rB4MHw=XF-DAPgrCFZP9jC2kFprZmWoDaJViRGmsKg@mail.gmail.com
обсуждение исходный текст
Ответ на [HACKERS] More flexible LDAP auth search filters?  (Thomas Munro <thomas.munro@enterprisedb.com>)
Ответы Re: [HACKERS] More flexible LDAP auth search filters?  (Thomas Munro <thomas.munro@enterprisedb.com>)
Re: [HACKERS] More flexible LDAP auth search filters?  (Stephen Frost <sfrost@snowman.net>)
Список pgsql-hackers
Дерево обсуждения


On Thu, Jul 13, 2017 at 9:31 AM, Thomas Munro <thomas.munro@enterprisedb.com> wrote:
Hi hackers,

A customer asked how to use pg_hba.conf LDAP search+bind
authentication to restrict logins to users in one of a small number of
groups.  ldapsearchattribute only lets you make filters like
"(foo=username)", so it couldn't be done.  Is there any reason we
should allow a more general kind of search filter constructions?

A post on planet.postgresql.org today reminded me that a colleague had
asked me to post this POC patch here for discussion.  It allows custom
filters with ldapsearchprefix and ldapsearchsuffix.  Another approach
might be to take a filter pattern with "%USERNAME%" or whatever in it.
There's an existing precedent for the prefix and suffix approach, but
on the other hand a pattern approach would allow filters where the
username is inserted more than once.

Do we even need prefix/suffix? If we just make it "ldapsearchpattern", then you could have something like:

ldapsearchattribute="uid"
ldapsearchfilter="|(memberof=cn=Paris DBA Team)(memberof=cn=Tokyo DBA Team)"

We could then always to substitution of the kind:
(&(attr=<uid>)(<filter>))

which would in this case give:
(&(uid=mha)(|(memberof=cn=Paris DBA Team)(memberof=cn=Tokyo DBA Team)))


Basically we'd always AND together the username lookup with the additional filter.


Perhaps there are better ways to organise your LDAP servers so that
this sort of thing isn't necessary.  I don't know.  Thoughts?

I think something along this way is definitely wanted. We can argue the syntax, but being able to filter like this is definitely useful.

(FWIW, a workaround I've applied more than once to this in AD environments (where kerberos for one reason or other can't be done, sorry Stephen) is to set up a RADIUS server and use that one as a "middle man". But it would be much better if we could do it natively) 

--

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Michael Paquier
Дата:
Сообщение: [HACKERS] Adding -E switch to pg_dumpall
Следующее
От: Fabien COELHO
Дата:
Сообщение: Re: [HACKERS] WIP Patch: Pgbench Serialization and deadlock errors