BUG #16399: Ldap authentication bug
The following bug has been logged on the website:
Bug reference: 16399
Logged by: Ciaran
Email address: ciaranrh@gmail.com
PostgreSQL version: 10.12
Operating system: Windows Server 2012
Description:
Hello,
Follow the documentation here:
https://www.postgresql.org/docs/10/auth-methods.html#AUTH-LDAP I'm
attempting to enable LDAP authentication on my postgres database.
The relevant line for my testing this in my pg_hba.conf file is as
follows:
host all ciaranh 0.0.0.0/0 ldap
ldapurl="ldap://<DC>/OU=IT,DC=CNFLTD,DC=COM?sAMAccountName?one"
#ldapbinddn="CN=Postgres Bind, OU=Service Accounts, DC=CNFLTD, DC=COM"
ldapbindpasswd="cnfP@ssw0rd"
I receive the following error when trying to start the postgres service:
2020-04-28 16:00:02.619 PDT [4704] LOG: authentication method "ldap"
requires argument "ldapserver" to be set
2020-04-28 16:00:02.619 PDT [4704] CONTEXT: line 79 of configuration file
"C:/Program Files/PostgreSQL/10/data/pg_hba.conf"
2020-04-28 16:00:02.619 PDT [4704] FATAL: could not load pg_hba.conf
I do not understand why the ldapserver need be set if it's specified in the
ldapurl field, this seems like a bug to me.
On Wed, Apr 29, 2020 at 12:22 PM PG Bug reporting form
<noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 16399
Logged by: Ciaran
Email address: ciaranrh@gmail.com
PostgreSQL version: 10.12
Operating system: Windows Server 2012
Description:Hello,
Follow the documentation here:
https://www.postgresql.org/docs/10/auth-methods.html#AUTH-LDAP I'm
attempting to enable LDAP authentication on my postgres database.The relevant line for my testing this in my pg_hba.conf file is as
follows:
host all ciaranh 0.0.0.0/0 ldap
ldapurl="ldap://<DC>/OU=IT,DC=CNFLTD,DC=COM?sAMAccountName?one"
#ldapbinddn="CN=Postgres Bind, OU=Service Accounts, DC=CNFLTD, DC=COM"
ldapbindpasswd="cnfP@ssw0rd"I receive the following error when trying to start the postgres service:
2020-04-28 16:00:02.619 PDT [4704] LOG: authentication method "ldap"
requires argument "ldapserver" to be set
2020-04-28 16:00:02.619 PDT [4704] CONTEXT: line 79 of configuration file
"C:/Program Files/PostgreSQL/10/data/pg_hba.conf"
2020-04-28 16:00:02.619 PDT [4704] FATAL: could not load pg_hba.confI do not understand why the ldapserver need be set if it's specified in the
ldapurl field, this seems like a bug to me.
Huh. I'm surprised you don't get the error "LDAP URLs not supported
on this platform"[1]https://github.com/postgres/postgres/blob/REL_10_STABLE/src/backend/libpq/hba.c#L1746, since you're on Windows. Our documentation
stays that we don't support LDAP URLs on Windows (patches welcome);
it's possible that the error checking for that is somehow wrong.
I haven't heard of this myself, but if your build is somehow using
OpenLDAP instead of Win32 LDAP then I suppose it should just work
(though I'm not entirely sure if there are other place in the code
that assume that Windows must be using Win32 LDAP). That would imply
that ldap_url_parse() succeeded but set urldata->lud_host to NULL for
your input string. Not sure why; when I tried passing that exact URL
to my local ldap_url_parse() it gives back the string "<DC>". I don't
expect that to actually work (perhaps Windows LDAP understands "<DC>"
here, but I don't think OpenLDAP does) but that's another problem.
[1]: https://github.com/postgres/postgres/blob/REL_10_STABLE/src/backend/libpq/hba.c#L1746