On Sun, Jul 16, 2017 at 1:08 AM, Thomas Munro <thomas.mu...@enterprisedb.com > wrote:
> On Fri, Jul 14, 2017 at 11:04 PM, Magnus Hagander <mag...@hagander.net> > wrote: > > On Thu, Jul 13, 2017 at 9:31 AM, Thomas Munro > > <thomas.mu...@enterprisedb.com> wrote: > >> A post on planet.postgresql.org today reminded me that a colleague had > >> asked me to post this POC patch here for discussion. It allows custom > >> filters with ldapsearchprefix and ldapsearchsuffix. Another approach > >> might be to take a filter pattern with "%USERNAME%" or whatever in it. > >> There's an existing precedent for the prefix and suffix approach, but > >> on the other hand a pattern approach would allow filters where the > >> username is inserted more than once. > > > > > > Do we even need prefix/suffix? If we just make it "ldapsearchpattern", > then > > you could have something like: > > > > ldapsearchattribute="uid" > > ldapsearchfilter="|(memberof=cn=Paris DBA Team)(memberof=cn=Tokyo DBA > Team)" > > > > We could then always to substitution of the kind: > > (&(attr=<uid>)(<filter>)) > > > > which would in this case give: > > (&(uid=mha)(|(memberof=cn=Paris DBA Team)(memberof=cn=Tokyo DBA Team))) > > > > > > Basically we'd always AND together the username lookup with the > additional > > filter. > > Ok, so we have 3 ideas put forward: > > 1. Wrap username with ldapsearchprefix ldapsearchsuffix to build > filter (as implemented by POC patch) > 2. Optionally AND ldapsearchfilter with the existing > ldapsearchattribute-based filter (Magnus's proposal) > 3. Pattern-based ldapsearchfilter so that %USER% is replaced with > username (my other suggestion) > > The main argument for approach 1 is that it follows the style of the > bind-only mode. > Agreed, but I'm not sure it's a good style to follow (and yes, I think I may be the original author of it..). I'd rank option 3 over option 1. > > With idea 2, I wonder if there are some more general kinds of things > that people might want to do that that wouldn't be possible because it > has to include (attribute=user)... perhaps something involving a > substring or other transformation functions (but I'm no LDAP expert, > that may not make sense). > Yeah, that's exactly what I'm wondering about it :) > > With idea 3 it would allow "(|(foo=%USER%)(bar=%USER%))", though I > don't know if any such multiple-mention filters would ever make sense > in a sane LDAP configuration. > > Any other views from LDAP-users? > > +1 for some input from people who directly use it in larger LDAP environments. If we're going to change how it works, let's make it right this time! -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>