BUG #3095: LDAP authentication parsing incorrectly

On Thu, Mar 01, 2007 at 09:48:34PM +0000, Joey Wang wrote:

The following bug has been logged online:

Bug reference: 3095
Logged by: Joey Wang
Email address: jwang@sentillion.com
PostgreSQL version: 8.2.3
Operating system: Linux
Description: LDAP authentication parsing incorrectly
Details:

LDAP authentication parsing has two bugs.

When pg_hba.conf contains the a line

host all all 127.0.0.1/24 ldap
ldap://ActiveDirectory/dc=domain,dc=com;cn=;,cn=users

We expect the parsing will construct a user DN as

cn=userid,cn=users,dc=domain,dc=com

But

(1) dc=domain,dc=com is ignored. This is the src code from auth.c:

.....

/* ldap, no port number */
r = sscanf(port->auth_arg, "ldap://%127[^/]/%127[^;];%127[^;];%127s",
server, basedn, prefix, suffix);

.....

snprintf(fulluser, sizeof(fulluser), "%s%s%s",
prefix, port->user_name, suffix);
fulluser[sizeof(fulluser) - 1] = '\0';

r = ldap_simple_bind_s(ldap, fulluser, passwd);

We can see the code did not use basedn.

That is indeed so. IIRC, that was actually intentional, to make it
possible to use suffix-less binding (such as EXAMPLE\account for
ActiveDirectory, using the NT domain name instead of the LDAP dn). Does
kind of make the base dn unnecessary ;-)

(2) suffix containing ',' is converted to other character. This bug is
caused by parsing algrithm to treat comma as a token separator.

For some reason, I can't get my AD to accept my LDAP connection on my
test machine - it keeps bitching about certificates and such.
Anwyay. Does it not work if you quote the LDAP url? I *think* that is
permitted...

//Magnus

I have researched this problem, and the incorrect behavior seems to be
totally caused by the fact that unquoted commas are treated as item
separators in pg_hba.conf.

I have updated the documentation in 8.2 and CVS HEAD to indicate that
the LDAP URL should be double-quoted, and double-quoted the example URL
for emphasis.

If double-quoting does not 100% fix your problem, please let us know.
Thanks.

Documentation patch attached.

---------------------------------------------------------------------------

Joey Wang wrote:

The following bug has been logged online:

Bug reference: 3095
Logged by: Joey Wang
Email address: jwang@sentillion.com
PostgreSQL version: 8.2.3
Operating system: Linux
Description: LDAP authentication parsing incorrectly
Details:

LDAP authentication parsing has two bugs.

When pg_hba.conf contains the a line

host all all 127.0.0.1/24 ldap
ldap://ActiveDirectory/dc=domain,dc=com;cn=;,cn=users

We expect the parsing will construct a user DN as

cn=userid,cn=users,dc=domain,dc=com

But

(1) dc=domain,dc=com is ignored. This is the src code from auth.c:

.....

/* ldap, no port number */
r = sscanf(port->auth_arg, "ldap://%127[^/]/%127[^;];%127[^;];%127s",
server, basedn, prefix, suffix);

.....

snprintf(fulluser, sizeof(fulluser), "%s%s%s",
prefix, port->user_name, suffix);
fulluser[sizeof(fulluser) - 1] = '\0';

r = ldap_simple_bind_s(ldap, fulluser, passwd);

We can see the code did not use basedn.

(2) suffix containing ',' is converted to other character. This bug is
caused by parsing algrithm to treat comma as a token separator.

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +