Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 0182d6f

Browse files
committed
Allow LDAP authentication to operate in search+bind mode, meaning it
does a search for the user in the directory first, and then binds with the DN found for this user. This allows for LDAP logins in scenarios where the DN of the user cannot be determined simply by prefix and suffix, such as the case where different users are located in different containers. The old way of authentication can be significantly faster, so it's kept as an option. Robert Fleming and Magnus Hagander
1 parent a4e035b commit 0182d6f

File tree

4 files changed

+330
-57
lines changed

4 files changed

+330
-57
lines changed

doc/src/sgml/client-auth.sgml

+68-12
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.124 2009/10/01 01:58:57 tgl Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.125 2009/12/12 21:35:21 mha Exp $ -->
22

33
<chapter id="client-authentication">
44
<title>Client Authentication</title>
@@ -1202,14 +1202,32 @@ omicron bryanh guest1
12021202
</para>
12031203

12041204
<para>
1205-
The server will bind to the distinguished name constructed as
1205+
LDAP authentication can operate in two modes. In the first mode,
1206+
the server will bind to the distinguished name constructed as
12061207
<replaceable>prefix</> <replaceable>username</> <replaceable>suffix</>.
12071208
Typically, the <replaceable>prefix</> parameter is used to specify
12081209
<literal>cn=</>, or <replaceable>DOMAIN</><literal>\</> in an Active
12091210
Directory environment. <replaceable>suffix</> is used to specify the
12101211
remaining part of the DN in a non-Active Directory environment.
12111212
</para>
12121213

1214+
<para>
1215+
In the second mode, the server first binds to the LDAP directory with
1216+
a fixed username and password, specified with <replaceable>ldapbinduser</>
1217+
and <replaceable>ldapbinddn</>, and performs a search for the user trying
1218+
to log in to the database. If no user and password is configured, an
1219+
anonymous bind will be attempted to the directory. The search will be
1220+
performed over the subtree at <replaceable>ldapbasedn</>, and will try to
1221+
do an exact match of the attribute specified in
1222+
<replaceable>ldapsearchattribute</>. If no attribute is specified, the
1223+
<literal>uid</> attribute will be used. Once the user has been found in
1224+
this search, the server disconnects and re-binds to the directory as
1225+
this user, using the password specified by the client, to verify that the
1226+
login is correct. This method allows for significantly more flexibility
1227+
in where the user objects are located in the directory, but will cause
1228+
two separate connections to the LDAP server to be made.
1229+
</para>
1230+
12131231
<para>
12141232
The following configuration options are supported for LDAP:
12151233
<variablelist>
@@ -1221,42 +1239,80 @@ omicron bryanh guest1
12211239
</para>
12221240
</listitem>
12231241
</varlistentry>
1242+
<varlistentry>
1243+
<term><literal>ldapport</literal></term>
1244+
<listitem>
1245+
<para>
1246+
Port number on LDAP server to connect to. If no port is specified,
1247+
the default port in the LDAP library will be used.
1248+
</para>
1249+
</listitem>
1250+
</varlistentry>
1251+
<varlistentry>
1252+
<term><literal>ldaptls</literal></term>
1253+
<listitem>
1254+
<para>
1255+
Set to <literal>1</> to make the connection between PostgreSQL and the
1256+
LDAP server use TLS encryption. Note that this only encrypts
1257+
the traffic to the LDAP server &mdash; the connection to the client
1258+
will still be unencrypted unless SSL is used.
1259+
</para>
1260+
</listitem>
1261+
</varlistentry>
12241262
<varlistentry>
12251263
<term><literal>ldapprefix</literal></term>
12261264
<listitem>
12271265
<para>
1228-
String to prepend to the username when forming the DN to bind as.
1266+
String to prepend to the username when forming the DN to bind as,
1267+
when doing simple bind authentication.
12291268
</para>
12301269
</listitem>
12311270
</varlistentry>
12321271
<varlistentry>
12331272
<term><literal>ldapsuffix</literal></term>
12341273
<listitem>
12351274
<para>
1236-
String to append to the username when forming the DN to bind as.
1275+
String to append to the username when forming the DN to bind as,
1276+
when doing simple bind authentication.
12371277
</para>
12381278
</listitem>
12391279
</varlistentry>
12401280
<varlistentry>
1241-
<term><literal>ldapport</literal></term>
1281+
<term><literal>ldapbasedn</literal></term>
12421282
<listitem>
12431283
<para>
1244-
Port number on LDAP server to connect to. If no port is specified,
1245-
the default port in the LDAP library will be used.
1284+
DN to root the search for the user in, when doing search+bind
1285+
authentication.
12461286
</para>
12471287
</listitem>
12481288
</varlistentry>
12491289
<varlistentry>
1250-
<term><literal>ldaptls</literal></term>
1290+
<term><literal>ldapbinddn</literal></term>
12511291
<listitem>
12521292
<para>
1253-
Set to <literal>1</> to make the connection between PostgreSQL and the
1254-
LDAP server use TLS encryption. Note that this only encrypts
1255-
the traffic to the LDAP server &mdash; the connection to the client
1256-
will still be unencrypted unless SSL is used.
1293+
DN of user to bind to the directory with to perform the search when
1294+
doing search+bind authentication.
12571295
</para>
12581296
</listitem>
12591297
</varlistentry>
1298+
<varlistentry>
1299+
<term><literal>ldapbindpasswd</literal></term>
1300+
<listitem>
1301+
<para>
1302+
Password for user to bind to the directory with to perform the search
1303+
when doing search+bind authentication.
1304+
</para>
1305+
</listitem>
1306+
</varlistentry>
1307+
<varlistentry>
1308+
<term><literal>ldapsearchattribute</literal></term>
1309+
<listitem>
1310+
<para>
1311+
Attribute to match against the username in the search when doing
1312+
search+bind authentication.
1313+
</para>
1314+
</listitem>
1315+
</varlistentry>
12601316
</variablelist>
12611317
</para>
12621318

0 commit comments

Comments
 (0)