Here is the same patch as v2 but with "const" removed in case you want to
move forward with that change. Tested locally against the tests I wrote in
the other patch to sanity check the change.

On Thu, Apr 3, 2025 at 8:42 AM Tom Lane <t...@sss.pgh.pa.us> wrote:

> Peter Eisentraut <pe...@eisentraut.org> writes:
> > Here is a slightly polished version of this patch.  I added an error
> > message, and changed the return code, but it's a bit confusing which one
> > might be the right one.
>
> I'm kind of -0.5 on declaring the variable as "const", because none of
> our existing calls of ldap_set_option do that.  I do see that the
> Linux man page for ldap_set_option claims that that argument can be
> const, but I think you're risking a portability gotcha for no large
> gain.  LGTM otherwise.
>
> > My hunch right now is that we should probably take the patch that sets
> > the version option and consider it for backpatching.  The patch with the
> > tests can be held for detailed review later.
>
> +1 for that plan.
>
>                         regards, tom lane
>
From 4684d5cd1bc5c5150f6435bf2be1be9f957a4429 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <pe...@eisentraut.org>
Date: Thu, 3 Apr 2025 15:06:13 +0200
Subject: [PATCH] libpq: Set LDAP protocol version 3

Some LDAP servers reject the default version 2 protocol.  So set
version 3 before starting the connection.  This matches how the
backend LDAP code has worked all along.

Co-authored-by: Andrew Jackson <andrewjackson...@gmail.com>
Discussion: https://www.postgresql.org/message-id/flat/CAKK5BkHixcivSCA9pfd_eUp7wkLRhvQ6OtGLAYrWC%3Dk7E76LDQ%40mail.gmail.com
---
 src/interfaces/libpq/fe-connect.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index ddcc7b60ab0..d9d064174de 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -5069,6 +5069,7 @@ ldapServiceLookup(const char *purl, PQconninfoOption *options,
 			   *entry;
 	struct berval **values;
 	LDAP_TIMEVAL time = {PGLDAP_TIMEOUT, 0};
+	int	ldapversion = LDAP_VERSION3;
 
 	if ((url = strdup(purl)) == NULL)
 	{
@@ -5200,6 +5201,15 @@ ldapServiceLookup(const char *purl, PQconninfoOption *options,
 		return 3;
 	}
 
+	if ((rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ldapversion)) != LDAP_SUCCESS)
+	{
+		libpq_append_error(errorMessage, "could not set LDAP protocol version: %s",
+						   ldap_err2string(rc));
+		free(url);
+		ldap_unbind(ld);
+		return 3;
+	}
+
 	/*
 	 * Perform an explicit anonymous bind.
 	 *
-- 
2.47.2

Reply via email to