I have researched this and the incorrect behavior seems to be totally
caused by the fact that unquoted commas are treated as item separators
in pg_hba.conf.
I have updated the documentation in 8.2 and CVS HEAD to indicate that
the LDAP URL should be double-quoted, and double-quoted the example URL
for emphasis.
If double-quoting does not 100% fix your problem, please let us know.
Thanks.
Documentation patch attached.
---------------------------------------------------------------------------
Brian Topping wrote:
>
> The following bug has been logged online:
>
> Bug reference: 3123
> Logged by: Brian Topping
> Email address: topping@codehaus.org
> PostgreSQL version: 8.2
> Operating system: Linux
> Description: Problem with LDAP auth strings
> Details:
>
> http://www.mail-archive.com/pgsql-general@postgresql.org/msg92652.html
> outlines a bit of it.
>
> The options to the ldap auth method in pg_hba.conf doesn't work properly.
> The dn base is completely ignored, and the suffix has all the commas parsed
> out of it for some reason.
>
> If it were working correctly, the base dn would be concatenated with the
> prefix and the username to create the correct DN to send to the server. The
> suffix should not strictly be necessary.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.97
diff -c -c -r1.97 client-auth.sgml
*** doc/src/sgml/client-auth.sgml 31 Jan 2007 20:56:16 -0000 1.97
--- doc/src/sgml/client-auth.sgml 24 Mar 2007 21:44:29 -0000
***************
*** 929,937 ****
<synopsis>
ldap[<replaceable>s</>]://<replaceable>servername</>[:<replaceable>port</>]/<replaceable>base
dn</replaceable>[;<replaceable>prefix</>[;<replaceable>suffix</>]]
</synopsis>
! for example:
<synopsis>
! ldap://ldap.example.net/dc=example,dc=net;EXAMPLE\
</synopsis>
</para>
--- 929,941 ----
<synopsis>
ldap[<replaceable>s</>]://<replaceable>servername</>[:<replaceable>port</>]/<replaceable>base
dn</replaceable>[;<replaceable>prefix</>[;<replaceable>suffix</>]]
</synopsis>
! Commas are used to specify multiple items in an <literal>ldap</>
! component. However, because unquoted commas are treated as item
! separators in <filename>pg_hba.conf</filename>, it is wise to
! double-quote the <literal>ldap</> URL to preserve any commas present,
! e.g.:
<synopsis>
! "ldap://ldap.example.net/dc=example,dc=net;EXAMPLE\"
</synopsis>
</para>