BUG #15495: Ldap authentication not working with multiple server in Postgresql 11
The following bug has been logged on the website:
Bug reference: 15495
Logged by: Renaud Navarro
Email address: rnavarro@nocibe.fr
PostgreSQL version: 11.1
Operating system: Oracle Linux 7.5
Description:
Hi
After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
authentication no longer work with multiple ldap server specified.
The pg_hba.conf have the following line :
hostssl all all 172.20.0.0/16 ldap
ldapserver="dcinfrap01s.nocibe.net dcinfrap02s.nocibe.net"
ldapprefix="NOCIBE\" ldaptls=1 "
I have the following error in log file :
2018-11-09 16:32:45.407 CET [29629] LOG: could not initialize LDAP: Bad
parameter to an ldap routine
2018-11-09 16:32:45.408 CET [29629] FATAL: LDAP authentication failed for
user "admin_rnavarro"
If I modify the pg_hba.conf with one LDAP server, the authentication is
working.
The same entry with postgresql 10.5 work perfectly
Thanks for helping me
Kind Regards
On Sat, Nov 10, 2018 at 4:48 AM PG Bug reporting form
<noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 15495
Logged by: Renaud Navarro
Email address: rnavarro@nocibe.fr
PostgreSQL version: 11.1
Operating system: Oracle Linux 7.5
Description:Hi
After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
authentication no longer work with multiple ldap server specified.
The pg_hba.conf have the following line :
hostssl all all 172.20.0.0/16 ldap
ldapserver="dcinfrap01s.nocibe.net dcinfrap02s.nocibe.net"
ldapprefix="NOCIBE\" ldaptls=1 "
I have the following error in log file :
2018-11-09 16:32:45.407 CET [29629] LOG: could not initialize LDAP: Bad
parameter to an ldap routine
2018-11-09 16:32:45.408 CET [29629] FATAL: LDAP authentication failed for
user "admin_rnavarro"
If I modify the pg_hba.conf with one LDAP server, the authentication is
working.
The same entry with postgresql 10.5 work perfectly
Thanks for the report. I see the problem. In commit
35c0754fadca8010955f6b10cb47af00bdbe1286 we switched from ldap_init()
to ldap_initialize() because the newer interface supports LDAPS. To
do that we have to build a URI from the given protocol, server and
port. I overlooked the case where multiple servers are specified in
ldapserver. If you say ldapserver="a b c" then we generate a URI
"ldap://a b c:389", but it looks like we should instead generate a URI
list "ldap://a:389 ldap://b:389 ldap://c:389".
Unfortunately there doesn't seem to be an obvious workaround until we
can ship a fix in the next point release, because ldapurl doesn't
support the space-separated list format either.
--
Thomas Munro
http://www.enterprisedb.com
On Sat, Nov 10, 2018 at 8:28 AM Thomas Munro
<thomas.munro@enterprisedb.com> wrote:
On Sat, Nov 10, 2018 at 4:48 AM PG Bug reporting form
<noreply@postgresql.org> wrote:The following bug has been logged on the website:
Bug reference: 15495
Logged by: Renaud Navarro
Email address: rnavarro@nocibe.fr
PostgreSQL version: 11.1
Operating system: Oracle Linux 7.5
Description:Hi
After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
authentication no longer work with multiple ldap server specified.
The pg_hba.conf have the following line :
hostssl all all 172.20.0.0/16 ldap
ldapserver="dcinfrap01s.nocibe.net dcinfrap02s.nocibe.net"
ldapprefix="NOCIBE\" ldaptls=1 "
I have the following error in log file :
2018-11-09 16:32:45.407 CET [29629] LOG: could not initialize LDAP: Bad
parameter to an ldap routine
2018-11-09 16:32:45.408 CET [29629] FATAL: LDAP authentication failed for
user "admin_rnavarro"
If I modify the pg_hba.conf with one LDAP server, the authentication is
working.
The same entry with postgresql 10.5 work perfectlyThanks for the report. I see the problem. In commit
35c0754fadca8010955f6b10cb47af00bdbe1286 we switched from ldap_init()
to ldap_initialize() because the newer interface supports LDAPS. To
do that we have to build a URI from the given protocol, server and
port. I overlooked the case where multiple servers are specified in
ldapserver. If you say ldapserver="a b c" then we generate a URI
"ldap://a b c:389", but it looks like we should instead generate a URI
list "ldap://a:389 ldap://b:389 ldap://c:389".
Here's a draft patch.
--
Thomas Munro
http://www.enterprisedb.com
Attachments:
0001-Fix-handling-of-ldapserver-with-multiple-hostnames.patchapplication/octet-stream; name=0001-Fix-handling-of-ldapserver-with-multiple-hostnames.patchDownload+54-7
On Sat, Nov 10, 2018 at 11:45 AM Thomas Munro
<thomas.munro@enterprisedb.com> wrote:
On Sat, Nov 10, 2018 at 8:28 AM Thomas Munro
<thomas.munro@enterprisedb.com> wrote:On Sat, Nov 10, 2018 at 4:48 AM PG Bug reporting form
<noreply@postgresql.org> wrote:After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
authentication no longer work with multiple ldap server specified.
Thanks for the report. I see the problem. In commit
35c0754fadca8010955f6b10cb47af00bdbe1286 we switched from ldap_init()
to ldap_initialize() because the newer interface supports LDAPS. To
do that we have to build a URI from the given protocol, server and
port. I overlooked the case where multiple servers are specified in
ldapserver. If you say ldapserver="a b c" then we generate a URI
"ldap://a b c:389", but it looks like we should instead generate a URI
list "ldap://a:389 ldap://b:389 ldap://c:389".Here's a draft patch.
I did some testing with various multi-server configurations, added a
simple two hostname case to the regression tests and pushed this to
master and 11. Thanks again for the report.
--
Thomas Munro
http://www.enterprisedb.com