On Mon, Jul 17, 2017 at 5:58 AM, Mark Cave-Ayland <mark.cave-ayl...@ilande.co.uk> wrote: >> Any other views from LDAP-users? > > I've spent quite a bit of time integrating various bits of > non-PostgreSQL software to LDAP and in my experience option 3 tends to > be the standard. > > Generally you find that you will be given the option to set the > attribute for the default search filter of the form > "(attribute=username)" which defaults to uid for UNIX-type systems and > sAMAccountName for AD. However there is always the ability to specify a > custom filter where the user is substituted via e.g. %u to cover all the > other use-cases.
Cool. Here is a new version of the patch updated to do it exactly like that. I tested it against OpenLDAP. > As an example, I don't know if anyone would actually do this with > PostgreSQL but I've been asked on multiple occasions to configure > software so that users should be allowed to log in with either their > email address or username which is easily done with a custom LDAP filter > like "(|(mail=%u)(uid=%u))". Thank you very much for this feedback and example, which I used in the documentation in the patch. I see similar examples in the documentation for other things on the web. I'll leave it up to Magnus and Stephen to duke it out over whether we want to encourage LDAP usage, extend documentation to warn about cleartext passwords with certain LDAP implementations or configurations, etc etc. I'll add this patch to the commitfest and get some popcorn. -- Thomas Munro http://www.enterprisedb.com
Description: Binary data
-- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers