On Tue, Sep 12, 2017 at 7:21 AM, Peter Eisentraut <peter.eisentr...@2ndquadrant.com> wrote: > On 9/8/17 13:24, Mark Cave-Ayland wrote: >> My weapon of choice for LDAP deployments on POSIX-based systems is >> Arthur De Jong's nss-pam-ldapd (https://arthurdejong.org/nss-pam-ldapd) >> which is far more flexible than pam_ldap and fixes a large number of >> bugs, including the tendency for pam_ldap to hang infinitely if it can't >> contact its LDAP server. >> >> Take a look at nss-pam-ldapd's man page for nslcd.conf and in particular >> pam_authz_search - this is exactly the type of filters I would end up >> deploying onto servers. This happens a lot in large organisations >> whereby getting group memberships updated in the main directory can take >> days/weeks whereas someone with root access to the server itself can >> hard-code an authentication list of users and/or groups in an LDAP >> filter in just a few minutes. > > Thomas, would you consider using the placeholder syntax described at > <https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5> under > pam_authz_search?
Sounds good. Here it is with $username. It's nice not to have to escape any characters in URLs. I suppose more keywords could be added in follow-up patches if someone thinks that would be useful ($hostname, $dbname, ...?). I got sick of that buffer sizing code and changed it to use StringInfo. Here also are your test patches tweaked slightly: 0002 just adds FreeBSD support as per previous fixup and 0003 changes to $username. -- Thomas Munro http://www.enterprisedb.com
0001-Allow-custom-search-filters-to-be-configured-for-LDA.patch
Description: Binary data
0002-Add-LDAP-authentication-test-suite.patch
Description: Binary data
0003-Add-tests-for-ldapsearchfilter-functionality.patch
Description: Binary data
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers