ldapurl is supported with simple bind

The docs currently imply that ldapurl is for search+bind only, but
that's not true.  Rearrange the docs to cover this better.

Add a test ldapurl with simple bind.  This was previously allowed but
unexercised, and now that it's documented it'd be good to pin the
behavior.

Improve error when mixing LDAP bind modes.  The option names had gone
stale; replace them with a more general statement.

Author: Jacob Champion <jacob.champion@enterprisedb.com>
Discussion: https://www.postgresql.org/message-id/flat/CAOYmi+nyg9gE0LeP=xQ3AgyQGR=5ZZMkVVbWd0uR8XQmg_dd5Q@mail.gmail.com

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index f1eb3b279ed4283cfc8653ed9623ff4a2f759570..51343de7cadbeb6ff66f06aeef1e0e0b448fe63d 100644 (file)
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1910,13 +1910,19 @@ omicron         bryanh                  guest1
         </para>
        </listitem>
       </varlistentry>
+     </variablelist>
+    </para>
+
+    <para>
+     The following option may be used as an alternative way to write some of the
+     above LDAP options in a more compact and standard form:
+     <variablelist>
       <varlistentry>
        <term><literal>ldapurl</literal></term>
        <listitem>
         <para>
          An <ulink url="https://datatracker.ietf.org/doc/html/rfc4516">RFC 4516</ulink>
-         LDAP URL.  This is an alternative way to write some of the
-         other LDAP options in a more compact and standard form.  The format is
+         LDAP URL.  The format is
 <synopsis>
 ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>][?[<replaceable>filter</replaceable>]]]]
 </synopsis>
@@ -1958,7 +1964,8 @@ ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<rep
 
    <para>
     It is an error to mix configuration options for simple bind with options
-    for search+bind.
+    for search+bind.  To use <literal>ldapurl</literal> in simple bind mode, the
+    URL must not contain a <literal>basedn</literal> or query elements.
    </para>
 
    <para>
@@ -1994,6 +2001,16 @@ host ... ldap ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=exam
     succeeds, the database access is granted.
    </para>
 
+   <para>
+    Here is a different simple-bind configuration, which uses the LDAPS scheme
+    and a custom port number, written as a URL:
+<programlisting>
+host ... ldap ldapurl="ldaps://ldap.example.net:49151" ldapprefix="cn=" ldapsuffix=", dc=example, dc=net"
+</programlisting>
+    This is slightly more compact than specifying <literal>ldapserver</literal>,
+    <literal>ldapscheme</literal>, and <literal>ldapport</literal> separately.
+   </para>
+
    <para>
     Here is an example for a search+bind configuration:
 <programlisting>

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 18271def2e8c1668829709f91db7f475d0b94ed7..75d588e36a10eca9c863ad02eee1e5d9bf8af8cf 100644 (file)
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1907,10 +1907,10 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
            {
                ereport(elevel,
                        (errcode(ERRCODE_CONFIG_FILE_ERROR),
-                        errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix"),
+                        errmsg("cannot mix options for simple bind and search+bind modes"),
                         errcontext("line %d of configuration file \"%s\"",
                                    line_num, file_name)));
-               *err_msg = "cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter, or ldapurl together with ldapprefix";
+               *err_msg = "cannot mix options for simple bind and search+bind modes";
                return NULL;
            }
        }

diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl
index 850db34503f11fe756e97ba35d722683d9239084..43e029921ca79ee3a27b81947a459607ce143d6d 100644 (file)
--- a/src/test/ldap/t/001_auth.pl
+++ b/src/test/ldap/t/001_auth.pl
@@ -145,6 +145,22 @@ test_access($node, 'test1', 0, 'search+bind authentication succeeds');
 
 note "LDAP URLs";
 
+unlink($node->data_dir . '/pg_hba.conf');
+$node->append_conf('pg_hba.conf',
+   qq{local all all ldap ldapurl="$ldap_url" ldapprefix="uid=" ldapsuffix=",dc=example,dc=net"}
+);
+$node->restart;
+
+$ENV{"PGPASSWORD"} = 'wrong';
+test_access($node, 'test0', 2,
+   'simple bind with LDAP URL authentication fails if user not found in LDAP'
+);
+test_access($node, 'test1', 2,
+   'simple bind with LDAP URL authentication fails with wrong password');
+$ENV{"PGPASSWORD"} = 'secret1';
+test_access($node, 'test1', 0,
+   'simple bind with LDAP URL authentication succeeds');
+
 unlink($node->data_dir . '/pg_hba.conf');
 $node->append_conf('pg_hba.conf',
    qq{local all all ldap ldapurl="$ldap_url/$ldap_basedn?uid?sub"});