LDAP Login Problem

2010/3/3 Tom Robst <tomrobst@thermocable.com>:

Hi,

I am having a problem with authentication using LDAP on PostgreSQL 8.4.2.

The problem seems to be limited to which attribute is specified in the ldapprefix. If I specify "uid=" and then try login using the username "trobst" (which is the value in the ldap db) I get an error:

host    all         all         192.168.1.0/24        ldap ldapserver=ldap.thermocable.com ldapprefix="uid=" ldapsuffix=",cn=Staff,dc=thermocable,dc=com"

LOG:  LDAP login failed for user
"uid=trobst,cn=Staff,dc=thermocable,dc=com" on server
"ldap.thermocable.com": error code 49
FATAL:  LDAP authentication failed for user "trobst"

However if I specify the ldapprefix to be "cn=" and login using the username "Tom Robst" it all works fine.

host    all         all         192.168.1.0/24        ldap ldapserver=ldap.thermocable.com ldapprefix="cn=" ldapsuffix=",cn=Staff,dc=thermocable,dc=com"

The LDAP authentication needs to bind with the full DN, which is
"cn=...". Specifying uid= doesn't make it a valid LDAP distinguished
name. So unless your LDAP server is "tricky" (like the Microsoft one,
which accepts both DN and "DOMAIN\username" in the login packet),
there's nothing you can do I think. (well, you can also change all
your DNs in the LDAP catalog, but that's likely to break a lot of
other things)

PostgreSQL 9.0 will allow you do do a search+bind to get the
functionality you want. The change should be fairly standalone so you
could probably have it backpatched if it's urgent for you, but since
it's a new feature it's not something the community backpatches.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

Thanks Magnus. I should have mentioned I'm using OpenLDAP 2.2. I guess
I'll just have to wait for Postgres 9 and workaround it in the meantime.
It's not an insurmountable issue...

Regards,
Tom Robst
--