8000 Fix handling of HBA ldapserver with multiple hostnames. · postgrespro/postgres@257ef3c · GitHub
[go: up one dir, main page]
Skip to content

    • Commit 257ef3c

    Browse files
    macdicemacdice
    committed
    Fix handling of HBA ldapserver with multiple hostnames.
    Commit 35c0754 failed to handle space-separated lists of alternative hostnames in ldapserver, when building a URI for ldap_initialize() (OpenLDAP). Such lists need to be expanded to space-separated URIs. Repair. Back-patch to 11, to fix bug report #15495. Author: Thomas Munro Reported-by: Renaud Navarro Discussion: https://postgr.es/m/15495-2c39fc196c95cd72%40postgresql.org
    1 parent 6a3dcd2 commit 257ef3c

    File tree

    2 files changed

    +54
    -6
    lines changed

    2 files changed

    +54
    -6
    lines changed

    src/backend/libpq/auth.c

    Lines changed: 37 additions & 5 deletions
    Original file line numberDiff line numberDiff line change
    @@ -2352,12 +2352,44 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
    23522352
    #else
    23532353
    #ifdef HAVE_LDAP_INITIALIZE
    23542354
    {
    2355-
    char *uri;
    2355+
    const char *hostnames = port->hba->ldapserver;
    2356+
    char *uris = NULL;
    23562357

    2357-
    uri = psprintf("%s://%s:%d", scheme, port->hba->ldapserver,
    2358-
    port->hba->ldapport);
    2359-
    r = ldap_initialize(ldap, uri);
    2360-
    pfree(uri);
    2358+
    /*
    2359+
    * We have a space-separated list of hostnames. Convert it
    2360+
    * to a space-separated list of URIs.
    2361+
    */
    2362+
    do
    2363+
    {
    2364+
    const char *hostname;
    2365+
    size_t hostname_size;
    2366+
    char *new_uris;
    2367+
    2368+
    /* Find the leading hostname. */
    2369+
    hostname_size = strcspn(hostnames, " ");
    2370+
    hostname = pnstrdup(hostnames, hostname_size);
    2371+
    2372+
    /* Append a URI for this hostname. */
    2373+
    new_uris = psprintf("%s%s%s://%s:%d",
    2374+
    uris ? uris : "",
    2375+
    uris ? " " : "",
    2376+
    scheme,
    2377+
    hostname,
    2378+
    port->hba->ldapport);
    2379+
    2380+
    pfree(hostname);
    2381+
    if (uris)
    2382+
    pfree(uris);
    2383+
    uris = new_uris;
    2384+
    2385+
    /* Step over this hostname and any spaces. */
    2386+
    hostnames += hostname_size;
    2387+
    while (*hostnames == ' ')
    2388+
    ++hostnames;
    2389+
    } while (*hostnames);
    2390+
    2391+
    r = ldap_initialize(ldap, uris);
    2392+
    pfree(uris);
    23612393
    if (r != LDAP_SUCCESS)
    23622394
    {
    23632395
    ereport(LOG,

    src/test/ldap/t/001_auth.pl

    Lines changed: 17 additions & 1 deletion
    Original file line numberDiff line numberDiff line change
    @@ -6,7 +6,7 @@
    66

    77
    if ($ENV{with_ldap} eq 'yes')
    88
    {
    9-
    plan tests => 19;
    9+
    plan tests => 22;
    1010
    }
    1111
    else
    1212
    {
    @@ -179,6 +179,22 @@ sub test_access
    179179
    $ENV{"PGPASSWORD"} = 'secret1';
    180180
    test_access($node, 'test1', 0, 'search+bind authentication succeeds');
    181181

    182+
    note "multiple servers";
    183+
    184+
    unlink($node->data_dir . '/pg_hba.conf');
    185+
    $node->append_conf('pg_hba.conf',
    186+
    qq{local all all ldap ldapserver="$ldap_server $ldap_server" ldapport=$ldap_port ldapbasedn="$ldap_basedn"}
    187+
    );
    188+
    $node->restart;
    189+
    190+
    $ENV{"PGPASSWORD"} = 'wrong';
    191+
    test_access($node, 'test0', 2,
    192+
    'search+bind authentication fails if user not found in LDAP');
    193+
    test_access($node, 'test1', 2,
    194+
    'search+bind authentication fails with wrong password');
    195+
    $ENV{"PGPASSWORD"} = 'secret1';
    196+
    test_access($node, 'test1', 0, 'search+bind authentication succeeds');
    197+
    182198
    note "LDAP URLs";
    183199

    184200
    unlink($node->data_dir . '/pg_hba.conf');

    0 commit comments

    Comments
     (0)
    0