Hi hackers,
A customer asked how to use pg_hba.conf LDAP search+bind
authentication to restrict logins to users in one of a small number of
groups. ldapsearchattribute only lets you make filters like
"(foo=username)", so it couldn't be done. Is there any reason we
should allow a more general kind of search filter constructions?
A post on planet.postgresql.org today reminded me that a colleague had
asked me to post this POC patch here for discussion. It allows custom
filters with ldapsearchprefix and ldapsearchsuffix. Another approach
might be to take a filter pattern with "%USERNAME%" or whatever in it.
There's an existing precedent for the prefix and suffix approach, but
on the other hand a pattern approach would allow filters where the
username is inserted more than once.
Motivating example:
ldapsearchprefix="(&(cn="
ldapsearchsuffix = ")(|(memberof=cn=Paris DBA
Team)(memberof=cn=Tokyo DBA Team))"
Note that with this patch ldapsearchattribute=cn is equivalent to:
ldasearchprefix="(cn="
ldapsearchsuffix=")"
Perhaps there are better ways to organise your LDAP servers so that
this sort of thing isn't necessary. I don't know. Thoughts?
--
Thomas Munro
http://www.enterprisedb.com
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers