Documentation bug for LDAP authentication
While playing with LDAP authentication, I discovered
two documentation bugs.
First, user and password for the first step in the
two-step authentication mode are "ldapbinddn" and
"ldapbindpasswd", not "ldapbinduser" and "ldapbinddn".
This bug has been there since 8.4.
The second one is new in 9.3 with the URL syntax:
It is not possible to specify "user" and "password"
in the LDAP URL.
The first hunk should be backpatched.
Yours,
Laurenz Albe
Attachments:
ldapdoc.patchapplication/octet-stream; name=ldapdoc.patchDownload
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 909c81b..e2f2e59 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1374,8 +1374,8 @@ omicron bryanh guest1
<para>
In the second mode, which we will call the search+bind mode,
the server first binds to the LDAP directory with
- a fixed user name and password, specified with <replaceable>ldapbinduser</>
- and <replaceable>ldapbinddn</>, and performs a search for the user trying
+ a fixed user name and password, specified with <replaceable>ldapbinddn</>
+ and <replaceable>ldapbindpasswd</>, and performs a search for the user trying
to log in to the database. If no user and password is configured, an
anonymous bind will be attempted to the directory. The search will be
performed over the subtree at <replaceable>ldapbasedn</>, and will try to
@@ -1493,13 +1493,14 @@ omicron bryanh guest1
An RFC 4516 LDAP URL. This is an alternative way to write most of the
other LDAP options in a more compact and standard form. The format is
<synopsis>
-ldap://[<replaceable>user</replaceable>[:<replaceable>password</replaceable>]@]<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>]]]
+ldap://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>]]]
</synopsis>
<replaceable>scope</replaceable> must be one
of <literal>base</literal>, <literal>one</literal>, <literal>sub</literal>,
typically the latter. Only one attribute is used, and some other
components of standard LDAP URLs such as filters and extensions are
- not supported.
+ not supported. For non-anonymous binds, <literal>ldapbinddn</literal>
+ and <literal>ldapbindpasswd</literal> must be specified.
</para>
<para>
On Wed, 2012-12-19 at 15:13 +0000, Albe Laurenz wrote:
While playing with LDAP authentication, I discovered
two documentation bugs.First, user and password for the first step in the
two-step authentication mode are "ldapbinddn" and
"ldapbindpasswd", not "ldapbinduser" and "ldapbinddn".This bug has been there since 8.4.
I've committed this part. (It only goes back to 9.0.)
The second one is new in 9.3 with the URL syntax:
It is not possible to specify "user" and "password"
in the LDAP URL.
That sounds like a bug to me. I'll investigate.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Sat, 2012-12-29 at 23:09 -0500, Peter Eisentraut wrote:
On Wed, 2012-12-19 at 15:13 +0000, Albe Laurenz wrote:
The second one is new in 9.3 with the URL syntax:
It is not possible to specify "user" and "password"
in the LDAP URL.That sounds like a bug to me. I'll investigate.
Hmm, it seems it is not intended to be supported. So I have installed
your change.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers