Friday, August 1, 2008

Re: [HACKERS] So, what's the "base dn" in an LDAP URL again?

Tom Lane wrote:
> The fine manual claims that the "base dn" part of an LDAP URL
> is meaningful:
>
> The server will bind to the distinguished name specified as base
> dn using the user name supplied by the client. If prefix and
> suffix is specified, it will be prepended and appended to the
> user name before the bind.
>
> But looking at CheckLDAPAuth() just now, it doesn't do anything at all
> with the basedn part of the string. Seems to me this is either a code
> bug or a docs bug.

I think it's a docs bug. You don't "bind to the dn...". You bind *with*
a DN, and that one is made of out of <prefix><username><suffix>.

IIRC, my original intent was for it to bind using that and then attempt
to access the location specified by basedn, so one could set permissions
on that object. But I never did implement that - and even if I did, the
docs would still be wrong.

So, the docs should be fixed - I'll take a look at that.

It does mean that basedn isn't used, and could be removed. But we're
obviously not going to do that in a backbranch, since it'd change the
syntax. As for HEAD, I'd leave it in as well, since the changes I'm
working on for pg_hba parameters will likely make the syntax change
anyway - and there's no point in doing it twice. Seems fair?

//Magnus


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

No comments: