Fix handling of HBA ldapserver with multiple hostnames.

Commit 35c0754f failed to handle space-separated lists of alternative
hostnames in ldapserver, when building a URI for ldap_initialize()
(OpenLDAP).  Such lists need to be expanded to space-separated URIs.

Repair.  Back-patch to 11, to fix bug report #15495.

Author: Thomas Munro
Reported-by: Renaud Navarro
Discussion: https://postgr.es/m/15495-2c39fc196c95cd72%40postgresql.org

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 85175655359829a2cf50dd883066bbb3d45e2286..bbf102ed7de9b29a9c0438be3c2c6f9822b29de8 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -2352,12 +2352,44 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
 #else
 #ifdef HAVE_LDAP_INITIALIZE
        {
-               char       *uri;
+               const char *hostnames = port->hba->ldapserver;
+               char       *uris = NULL;
 
-               uri = psprintf("%s://%s:%d", scheme, port->hba->ldapserver,
-                                          port->hba->ldapport);
-               r = ldap_initialize(ldap, uri);
-               pfree(uri);
+               /*
+                * We have a space-separated list of hostnames.  Convert it
+                * to a space-separated list of URIs.
+                */
+               do
+               {
+                       const char *hostname;
+                       size_t          hostname_size;
+                       char       *new_uris;
+
+                       /* Find the leading hostname. */
+                       hostname_size = strcspn(hostnames, " ");
+                       hostname = pnstrdup(hostnames, hostname_size);
+
+                       /* Append a URI for this hostname. */
+                       new_uris = psprintf("%s%s%s://%s:%d",
+                                                               uris ? uris : "",
+                                                               uris ? " " : "",
+                                                               scheme,
+                                                               hostname,
+                                                               port->hba->ldapport);
+
+                       pfree(hostname);
+                       if (uris)
+                               pfree(uris);
+                       uris = new_uris;
+
+                       /* Step over this hostname and any spaces. */
+                       hostnames += hostname_size;
+                       while (*hostnames == ' ')
+                               ++hostnames;
+               } while (*hostnames);
+
+               r = ldap_initialize(ldap, uris);
+               pfree(uris);
                if (r != LDAP_SUCCESS)
                {
                        ereport(LOG,

diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl
index 67b406c981b360439882788fc7346078441f433e..431ad6442c3e152a09666baf4fa7b009c7282706 100644 (file)
--- a/src/test/ldap/t/001_auth.pl
+++ b/src/test/ldap/t/001_auth.pl
@@ -6,7 +6,7 @@ use Test::More;
 
 if ($ENV{with_ldap} eq 'yes')
 {
-       plan tests => 19;
+       plan tests => 22;
 }
 else
 {
@@ -179,6 +179,22 @@ test_access($node, 'test1', 2,
 $ENV{"PGPASSWORD"} = 'secret1';
 test_access($node, 'test1', 0, 'search+bind authentication succeeds');
 
+note "multiple servers";
+
+unlink($node->data_dir . '/pg_hba.conf');
+$node->append_conf('pg_hba.conf',
+       qq{local all all ldap ldapserver="$ldap_server $ldap_server" ldapport=$ldap_port ldapbasedn="$ldap_basedn"}
+);
+$node->restart;
+
+$ENV{"PGPASSWORD"} = 'wrong';
+test_access($node, 'test0', 2,
+       'search+bind authentication fails if user not found in LDAP');
+test_access($node, 'test1', 2,
+       'search+bind authentication fails with wrong password');
+$ENV{"PGPASSWORD"} = 'secret1';
+test_access($node, 'test1', 0, 'search+bind authentication succeeds');
+
 note "LDAP URLs";
 
 unlink($node->data_dir . '/pg_hba.conf');