</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><literal>ldapsearchfilter</literal></term>
+ <listitem>
+ <para>
+ The search filter to use when doing search+bind authentication.
+ Occurrences of <literal>$username</literal> will be replaced with the
+ user name. This allows for more flexible search filters than
+ <literal>ldapsearchattribute</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><literal>ldapurl</literal></term>
<listitem>
An RFC 4516 LDAP URL. This is an alternative way to write some of the
other LDAP options in a more compact and standard form. The format is
<synopsis>
-ldap://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>]]]
+ldap://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>][?[<replaceable>filter</replaceable>]]]]
</synopsis>
<replaceable>scope</replaceable> must be one
of <literal>base</literal>, <literal>one</literal>, <literal>sub</literal>,
- typically the latter. Only one attribute is used, and some other
- components of standard LDAP URLs such as filters and extensions are
- not supported.
+ typically the last. <replaceable>attribute</replaceable> can
+ nominate a single attribute, in which case it is used as a value for
+ <literal>ldapsearchattribute</literal>. If
+ <replaceable>attribute</replaceable> is empty then
+ <replaceable>filter</replaceable> can be used as a value for
+ <literal>ldapsearchfilter</literal>.
</para>
<para>
for search+bind.
</para>
+ <para>
+ When using search+bind mode, the search can be performed using a single
+ attribute specified with <literal>ldapsearchattribute</literal>, or using
+ a custom search filter specified with
+ <literal>ldapsearchfilter</literal>.
+ Specifying <literal>ldapsearchattribute=foo</literal> is equivalent to
+ specifying <literal>ldapsearchfilter="(foo=$username)"</literal>. If neither
+ option is specified the default is
+ <literal>ldapsearchattribute=uid</literal>.
+ </para>
+
<para>
Here is an example for a simple-bind LDAP configuration:
<programlisting>
same URL format, so it will be easier to share the configuration.
</para>
+ <para>
+ Here is an example for a search+bind configuration that uses
+ <literal>ldapsearchfilter</literal> instead of
+ <literal>ldapsearchattribute</literal> to allow authentication by
+ user ID or email address:
+<programlisting>
+host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapsearchfilter="(|(uid=$username)(mail=$username))"
+</programlisting>
+ </para>
+
<tip>
<para>
Since LDAP often uses commas and spaces to separate the different
return STATUS_OK;
}
+/* Placeholders recognized by FormatSearchFilter. For now just one. */
+#define LPH_USERNAME "$username"
+#define LPH_USERNAME_LEN (sizeof(LPH_USERNAME) - 1)
+
+/*
+ * Return a newly allocated C string copied from "pattern" with all
+ * occurrences of the placeholder "$username" replaced with "user_name".
+ */
+static char *
+FormatSearchFilter(const char *pattern, const char *user_name)
+{
+ StringInfoData output;
+
+ initStringInfo(&output);
+ while (*pattern != '\0')
+ {
+ if (strncmp(pattern, LPH_USERNAME, LPH_USERNAME_LEN) == 0)
+ {
+ appendStringInfoString(&output, user_name);
+ pattern += LPH_USERNAME_LEN;
+ }
+ else
+ appendStringInfoChar(&output, *pattern++);
+ }
+
+ return output.data;
+}
+
/*
* Perform LDAP authentication
*/
char *filter;
LDAPMessage *search_message;
LDAPMessage *entry;
- char *attributes[2];
+ char *attributes[] = { LDAP_NO_ATTRS, NULL };
char *dn;
char *c;
int count;
return STATUS_ERROR;
}
- /* Fetch just one attribute, else *all* attributes are returned */
- attributes[0] = port->hba->ldapsearchattribute ? port->hba->ldapsearchattribute : "uid";
- attributes[1] = NULL;
-
- filter = psprintf("(%s=%s)",
- attributes[0],
- port->user_name);
+ /* Build a custom filter or a single attribute filter? */
+ if (port->hba->ldapsearchfilter)
+ filter = FormatSearchFilter(port->hba->ldapsearchfilter, port->user_name);
+ else if (port->hba->ldapsearchattribute)
+ filter = psprintf("(%s=%s)", port->hba->ldapsearchattribute, port->user_name);
+ else
+ filter = psprintf("(uid=%s)", port->user_name);
r = ldap_search_s(ldap,
port->hba->ldapbasedn,
/*
* LDAP can operate in two modes: either with a direct bind, using
* ldapprefix and ldapsuffix, or using a search+bind, using
- * ldapbasedn, ldapbinddn, ldapbindpasswd and ldapsearchattribute.
- * Disallow mixing these parameters.
+ * ldapbasedn, ldapbinddn, ldapbindpasswd and one of
+ * ldapsearchattribute or ldapsearchfilter. Disallow mixing these
+ * parameters.
*/
if (parsedline->ldapprefix || parsedline->ldapsuffix)
{
if (parsedline->ldapbasedn ||
parsedline->ldapbinddn ||
parsedline->ldapbindpasswd ||
- parsedline->ldapsearchattribute)
+ parsedline->ldapsearchattribute ||
+ parsedline->ldapsearchfilter)
{
ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, or ldapurl together with ldapprefix"),
+ errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter or ldapurl together with ldapprefix"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
- *err_msg = "cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, or ldapurl together with ldapprefix";
+ *err_msg = "cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, ldapsearchfilter or ldapurl together with ldapprefix";
return NULL;
}
}
*err_msg = "authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set";
return NULL;
}
+
+ /*
+ * When using search+bind, you can either use a simple attribute
+ * (defaulting to "uid") or a fully custom search filter. You can't
+ * do both.
+ */
+ if (parsedline->ldapsearchattribute && parsedline->ldapsearchfilter)
+ {
+ ereport(elevel,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("cannot use ldapsearchattribute together with ldapsearchfilter"),
+ errcontext("line %d of configuration file \"%s\"",
+ line_num, HbaFileName)));
+ *err_msg = "cannot use ldapsearchattribute together with ldapsearchfilter";
+ return NULL;
+ }
}
if (parsedline->auth_method == uaRADIUS)
hbaline->ldapsearchattribute = pstrdup(urldata->lud_attrs[0]); /* only use first one */
hbaline->ldapscope = urldata->lud_scope;
if (urldata->lud_filter)
- {
- ereport(elevel,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("filters not supported in LDAP URLs")));
- *err_msg = "filters not supported in LDAP URLs";
- ldap_free_urldesc(urldata);
- return false;
- }
+ hbaline->ldapsearchfilter = pstrdup(urldata->lud_filter);
ldap_free_urldesc(urldata);
#else /* not OpenLDAP */
ereport(elevel,
REQUIRE_AUTH_OPTION(uaLDAP, "ldapsearchattribute", "ldap");
hbaline->ldapsearchattribute = pstrdup(val);
}
+ else if (strcmp(name, "ldapsearchfilter") == 0)
+ {
+ REQUIRE_AUTH_OPTION(uaLDAP, "ldapsearchfilter", "ldap");
+ hbaline->ldapsearchfilter = pstrdup(val);
+ }
else if (strcmp(name, "ldapbasedn") == 0)
{
REQUIRE_AUTH_OPTION(uaLDAP, "ldapbasedn", "ldap");
CStringGetTextDatum(psprintf("ldapsearchattribute=%s",
hba->ldapsearchattribute));
+ if (hba->ldapsearchfilter)
+ options[noptions++] =
+ CStringGetTextDatum(psprintf("ldapsearchfilter=%s",
+ hba->ldapsearchfilter));
+
if (hba->ldapscope)
options[noptions++] =
CStringGetTextDatum(psprintf("ldapscope=%d", hba->ldapscope));
char *ldapbinddn;
char *ldapbindpasswd;
char *ldapsearchattribute;
+ char *ldapsearchfilter;
char *ldapbasedn;
int ldapscope;
char *ldapprefix;
projects / postgresql / commitdiff