Hi hackers, A customer asked how to use pg_hba.conf LDAP search+bind authentication to restrict logins to users in one of a small number of groups. ldapsearchattribute only lets you make filters like "(foo=username)", so it couldn't be done. Is there any reason we should allow a more general kind of search filter constructions?
A post on planet.postgresql.org today reminded me that a colleague had asked me to post this POC patch here for discussion. It allows custom filters with ldapsearchprefix and ldapsearchsuffix. Another approach might be to take a filter pattern with "%USERNAME%" or whatever in it. There's an existing precedent for the prefix and suffix approach, but on the other hand a pattern approach would allow filters where the username is inserted more than once. Motivating example: ldapsearchprefix="(&(cn=" ldapsearchsuffix = ")(|(memberof=cn=Paris DBA Team)(memberof=cn=Tokyo DBA Team))" Note that with this patch ldapsearchattribute=cn is equivalent to: ldasearchprefix="(cn=" ldapsearchsuffix=")" Perhaps there are better ways to organise your LDAP servers so that this sort of thing isn't necessary. I don't know. Thoughts? -- Thomas Munro http://www.enterprisedb.com
ldap-search-filters-v1.patch
Description: Binary data
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers