Tom Lane wrote:
stephen layland <[EMAIL PROTECTED]> writes:
I've written a quick patch against the head branch (8.4DEV, but it also
works with 8.1.3 sources) to fix LDAP authentication support to
work with LDAPS servers that do not need start TLS. I'd be interested
to hear your opinions on this.
Not being an LDAP user, I'm not very qualified to comment on the details
here, but ...
My solution was to create a boolean config variable called
ldap_use_start_tls which the user can toggle whether or not
start tls is necessary.
... I really don't like using a GUC variable to determine the
interpretation of entries in pg_hba.conf. A configuration file exists
to set configuration, it shouldn't need help from a distance. Also,
doing it this way means that if several different LDAP servers are
referenced in different pg_hba.conf entries, they'd all have to have
the same encryption behavior.
I think a better idea is to embed the flag in the pg_hba.conf entry
itself. Perhaps something like "ldapso:" instead of "ldaps:" to
indicate "old" secure ldap protocol, or include another parameter
in the URL body.
With ldaps on port 636 STARTTLS should NEVER be issued, so the protocol
identifier ldaps should be sufficient as "do not issue STARTTLS" flag.
IMHO the current pg_hba.conf implementation doesn't follow the usual
nomenclatura; ldap with TLS is still ldap. Using ldaps as indicator for
ldap with tls over port 389 is misleading for anyone familiar with ldap.
Regards,
Andreas
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
