When using pg_service.conf with LDAP, we document[1] the following sample LDIF for populating the LDAP server:
version:1 dn:cn=mydatabase,dc=mycompany,dc=com changetype:add objectclass:top objectclass:groupOfUniqueNames cn:mydatabase uniqueMember:host=dbserver.mycompany.com uniqueMember:port=5439 uniqueMember:dbname=mydb uniqueMember:user=mydb_user uniqueMember:sslmode=require That presumably worked at one point, but OpenLDAP 2.4.23 and OpenLDAP 2.4.39 both reject it cryptically: ldap_add: Invalid syntax (21) additional info: uniqueMember: value #0 invalid per syntax uniqueMember is specified to bear a distinguished name. While OpenLDAP does not verify that uniqueMember values correspond to known DNs, it does verify that the value syntactically could be a DN. To give examples, "o=foobar" is always accepted, but "xyz=foobar" is always rejected: "xyz" is not an LDAP DN attribute type. Amid the LDAP core schema, "device" is the best-fitting objectClass having the generality required. Let's convert to that, as attached. I have verified that this works end-to-end. Thanks, nm [1] http://www.postgresql.org/docs/devel/static/libpq-ldap.html -- Noah Misch EnterpriseDB http://www.enterprisedb.com
commit 957b58f (HEAD) Author: Noah Misch <n...@leadboat.com> AuthorDate: Mon Aug 4 00:03:21 2014 -0400 Commit: Noah Misch <n...@leadboat.com> CommitDate: Mon Aug 4 00:03:21 2014 -0400 Make pg_service.conf sample LDIF more portable. The aboriginal sample placed connection parameters in groupOfUniqueNames/uniqueMember. OpenLDAP, at least as early as version 2.4.23, rejects uniqueMember entries that do not conform to the syntax for a distinguished name. Use device/description, which is free-form. Back-patch to 9.4 for web site visibility. diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index db634a8..ef45fbf 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -7043,17 +7043,17 @@ version:1 dn:cn=mydatabase,dc=mycompany,dc=com changetype:add objectclass:top -objectclass:groupOfUniqueNames +objectclass:device cn:mydatabase -uniqueMember:host=dbserver.mycompany.com -uniqueMember:port=5439 -uniqueMember:dbname=mydb -uniqueMember:user=mydb_user -uniqueMember:sslmode=require +description:host=dbserver.mycompany.com +description:port=5439 +description:dbname=mydb +description:user=mydb_user +description:sslmode=require </programlisting> might be queried with the following LDAP URL: <programlisting> -ldap://ldap.mycompany.com/dc=mycompany,dc=com?uniqueMember?one?(cn=mydatabase) +ldap://ldap.mycompany.com/dc=mycompany,dc=com?description?one?(cn=mydatabase) </programlisting> </para>
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers