On Thu, Jul 13, 2017 at 9:31 AM, Thomas Munro <thomas.mu...@enterprisedb.com
> wrote:

> Hi hackers,
> A customer asked how to use pg_hba.conf LDAP search+bind
> authentication to restrict logins to users in one of a small number of
> groups.  ldapsearchattribute only lets you make filters like
> "(foo=username)", so it couldn't be done.  Is there any reason we
> should allow a more general kind of search filter constructions?
> A post on planet.postgresql.org today reminded me that a colleague had
> asked me to post this POC patch here for discussion.  It allows custom
> filters with ldapsearchprefix and ldapsearchsuffix.  Another approach
> might be to take a filter pattern with "%USERNAME%" or whatever in it.
> There's an existing precedent for the prefix and suffix approach, but
> on the other hand a pattern approach would allow filters where the
> username is inserted more than once.

Do we even need prefix/suffix? If we just make it "ldapsearchpattern", then
you could have something like:

ldapsearchfilter="|(memberof=cn=Paris DBA Team)(memberof=cn=Tokyo DBA Team)"

We could then always to substitution of the kind:

which would in this case give:
(&(uid=mha)(|(memberof=cn=Paris DBA Team)(memberof=cn=Tokyo DBA Team)))

Basically we'd always AND together the username lookup with the additional

Perhaps there are better ways to organise your LDAP servers so that
> this sort of thing isn't necessary.  I don't know.  Thoughts?

I think something along this way is definitely wanted. We can argue the
syntax, but being able to filter like this is definitely useful.

(FWIW, a workaround I've applied more than once to this in AD environments
(where kerberos for one reason or other can't be done, sorry Stephen) is to
set up a RADIUS server and use that one as a "middle man". But it would be
much better if we could do it natively)

 Magnus Hagander
 Me: https://www.hagander.net/ <http://www.hagander.net/>
 Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>

Reply via email to