Re: [HACKERS] More flexible LDAP auth search filters?

On 9/12/17 19:04, Thomas Munro wrote: >> Any further thoughts on the test suite? Otherwise I'll commit it as we >> have it, for manual use. done > I wonder if there is a reasonable way to indicate or determine whether > you have slapd installed so that check-world could run this test... The

Re: [HACKERS] More flexible LDAP auth search filters?

On Wed, Sep 13, 2017 at 8:04 AM, Thomas Munro wrote: > I wonder if there is a reasonable way to indicate or determine whether > you have slapd installed so that check-world could run this test... Module::Install's requires_external_bin is one:

Re: [HACKERS] More flexible LDAP auth search filters?

On Wed, Sep 13, 2017 at 1:55 AM, Peter Eisentraut wrote: > On 9/11/17 23:58, Thomas Munro wrote: >> Sounds good. Here it is with $username. It's nice not to have to >> escape any characters in URLs. I suppose more keywords could be added >> in follow-up

Re: [HACKERS] More flexible LDAP auth search filters?

On 9/11/17 23:58, Thomas Munro wrote: > Sounds good. Here it is with $username. It's nice not to have to > escape any characters in URLs. I suppose more keywords could be added > in follow-up patches if someone thinks that would be useful > ($hostname, $dbname, ...?). I got sick of that buffer

Re: [HACKERS] More flexible LDAP auth search filters?

On Tue, Sep 12, 2017 at 7:21 AM, Peter Eisentraut wrote: > On 9/8/17 13:24, Mark Cave-Ayland wrote: >> My weapon of choice for LDAP deployments on POSIX-based systems is >> Arthur De Jong's nss-pam-ldapd (https://arthurdejong.org/nss-pam-ldapd) >> which is far

Re: [HACKERS] More flexible LDAP auth search filters?

On 9/8/17 21:31, Thomas Munro wrote: > +if ($^O eq 'darwin') > +{ > + $slapd = '/usr/local/opt/openldap/libexec/slapd'; > + $ldap_schema_dir = '/usr/local/etc/openldap/schema'; > +} > > I'm guessing this is the MacPorts location, and someone from that > other tribe that uses Brew can

Re: [HACKERS] More flexible LDAP auth search filters?

On 9/8/17 13:24, Mark Cave-Ayland wrote: > My weapon of choice for LDAP deployments on POSIX-based systems is > Arthur De Jong's nss-pam-ldapd (https://arthurdejong.org/nss-pam-ldapd) > which is far more flexible than pam_ldap and fixes a large number of > bugs, including the tendency for pam_ldap

Re: [HACKERS] More flexible LDAP auth search filters?

On Sat, Sep 9, 2017 at 3:33 AM, Peter Eisentraut wrote: > A couple of comments on this patch. I have attached a "fixup" patch on > top of your v4 that should address them. > > - I think the bracketing of the LDAP URL synopsis is wrong. +1 > - I have dropped

Re: [HACKERS] More flexible LDAP auth search filters?

On Sat, Sep 9, 2017 at 3:36 AM, Peter Eisentraut wrote: > For additional entertainment I have written a test suite for this LDAP > authentication functionality. It's not quite robust enough to be run by > default, because it needs a full OpenLDAP installation,

Re: [HACKERS] More flexible LDAP auth search filters?

On 08/09/17 16:33, Peter Eisentraut wrote: > A couple of comments on this patch. I have attached a "fixup" patch on > top of your v4 that should address them. > > - I think the bracketing of the LDAP URL synopsis is wrong. > > - I have dropped the sentence that LDAP URL extensions are not >

Re: [HACKERS] More flexible LDAP auth search filters?

For additional entertainment I have written a test suite for this LDAP authentication functionality. It's not quite robust enough to be run by default, because it needs a full OpenLDAP installation, but it's been very helpful for reviewing this patch. Here it is. -- Peter Eisentraut

Re: [HACKERS] More flexible LDAP auth search filters?

A couple of comments on this patch. I have attached a "fixup" patch on top of your v4 that should address them. - I think the bracketing of the LDAP URL synopsis is wrong. - I have dropped the sentence that LDAP URL extensions are not supported. That sentence was written mainly to point out

Re: [HACKERS] More flexible LDAP auth search filters?

On 01/08/17 23:17, Thomas Munro wrote: > On Wed, Aug 2, 2017 at 5:36 AM, Peter Eisentraut > wrote: >> On 7/16/17 19:09, Thomas Munro wrote: >>> On Mon, Jul 17, 2017 at 10:26 AM, Thomas Munro >>> wrote:

Re: [HACKERS] More flexible LDAP auth search filters?

On Wed, Aug 2, 2017 at 5:36 AM, Peter Eisentraut wrote: > On 7/16/17 19:09, Thomas Munro wrote: >> On Mon, Jul 17, 2017 at 10:26 AM, Thomas Munro >> wrote: >>> ldap-search-filters-v2.patch >> >> Gah, it would help if I could spell

Re: [HACKERS] More flexible LDAP auth search filters?

On 7/16/17 19:09, Thomas Munro wrote: > On Mon, Jul 17, 2017 at 10:26 AM, Thomas Munro > wrote: >> ldap-search-filters-v2.patch > > Gah, it would help if I could spell "occurrences" correctly. Fixed in > the attached. Please also add the corresponding support for

Re: [HACKERS] More flexible LDAP auth search filters?

On Sun, Jul 16, 2017 at 7:23 PM, Stephen Frost wrote: >> Refusing to improve LDAP for the users who have no choice seems like a very >> unfriendly thing to do. > > I'm fine with improving LDAP in general, but, as I tried to point out, > having a way to make it easier to

Re: [HACKERS] More flexible LDAP auth search filters?

On 17/07/17 18:08, Magnus Hagander wrote: > On Mon, Jul 17, 2017 at 6:47 PM, Mark Cave-Ayland > > > wrote: > Great to hear from you! It has definitely been a while... > > Indeed. You should spend more time on these lists

Re: [HACKERS] More flexible LDAP auth search filters?

On Mon, Jul 17, 2017 at 6:47 PM, Mark Cave-Ayland < mark.cave-ayl...@ilande.co.uk> wrote: > On 17/07/17 13:09, Magnus Hagander wrote: > > Hi Magnus, > > Great to hear from you! It has definitely been a while... > Indeed. You should spend more time on these lists :P > > > Generally you

Re: [HACKERS] More flexible LDAP auth search filters?

On 17/07/17 13:09, Magnus Hagander wrote: Hi Magnus, Great to hear from you! It has definitely been a while... > Generally you find that you will be given the option to set the > attribute for the default search filter of the form > "(attribute=username)" which defaults to uid for

Re: [HACKERS] More flexible LDAP auth search filters?

On Mon, Jul 17, 2017 at 1:23 AM, Stephen Frost wrote: > > * Magnus Hagander (mag...@hagander.net) wrote: > > On Sun, Jul 16, 2017 at 11:05 PM, Stephen Frost > wrote: > > > I'd suggest that we try to understand why Kerberos couldn't be used in > > > that

Re: [HACKERS] More flexible LDAP auth search filters?

On Sun, Jul 16, 2017 at 7:58 PM, Mark Cave-Ayland < mark.cave-ayl...@ilande.co.uk> wrote: > On 16/07/17 00:08, Thomas Munro wrote: > > > On Fri, Jul 14, 2017 at 11:04 PM, Magnus Hagander > wrote: > >> On Thu, Jul 13, 2017 at 9:31 AM, Thomas Munro > >>

Re: [HACKERS] More flexible LDAP auth search filters?

On 17/07/17 00:14, Stephen Frost wrote: >> If it helps, we normally recommend that clients use ldaps for both AD >> and UNIX environments, although this can be trickier from an >> administrative perspective in AD environments because it can require >> changes to the Windows firewall and

Re: [HACKERS] More flexible LDAP auth search filters?

Magnus, * Magnus Hagander (mag...@hagander.net) wrote: > On Sun, Jul 16, 2017 at 11:05 PM, Stephen Frost wrote: > > I'd suggest that we try to understand why Kerberos couldn't be used in > > that environment. I suspect in at least some cases what users would > > like is the

Re: [HACKERS] More flexible LDAP auth search filters?

Mark, * Mark Cave-Ayland (mark.cave-ayl...@ilande.co.uk) wrote: > On 16/07/17 23:26, Thomas Munro wrote: > > Thank you very much for this feedback and example, which I used in the > > documentation in the patch. I see similar examples in the > > documentation for other things on the web. > > >

Re: [HACKERS] More flexible LDAP auth search filters?

On Mon, Jul 17, 2017 at 10:26 AM, Thomas Munro wrote: > ldap-search-filters-v2.patch Gah, it would help if I could spell "occurrences" correctly. Fixed in the attached. -- Thomas Munro http://www.enterprisedb.com ldap-search-filters-v3.patch Description:

Re: [HACKERS] More flexible LDAP auth search filters?

On 16/07/17 23:26, Thomas Munro wrote: > Thank you very much for this feedback and example, which I used in the > documentation in the patch. I see similar examples in the > documentation for other things on the web. > > I'll leave it up to Magnus and Stephen to duke it out over whether we >

Re: [HACKERS] More flexible LDAP auth search filters?

On Mon, Jul 17, 2017 at 5:58 AM, Mark Cave-Ayland wrote: >> Any other views from LDAP-users? > > I've spent quite a bit of time integrating various bits of > non-PostgreSQL software to LDAP and in my experience option 3 tends to > be the standard. > > Generally you

Re: [HACKERS] More flexible LDAP auth search filters?

On Sun, Jul 16, 2017 at 11:05 PM, Stephen Frost wrote: > Magnus, all, > > * Magnus Hagander (mag...@hagander.net) wrote: > > (FWIW, a workaround I've applied more than once to this in AD > environments > > (where kerberos for one reason or other can't be done, sorry Stephen)

Re: [HACKERS] More flexible LDAP auth search filters?

Magnus, all, * Magnus Hagander (mag...@hagander.net) wrote: > (FWIW, a workaround I've applied more than once to this in AD environments > (where kerberos for one reason or other can't be done, sorry Stephen) is to > set up a RADIUS server and use that one as a "middle man". But it would be >

Re: [HACKERS] More flexible LDAP auth search filters?

On 16/07/17 00:08, Thomas Munro wrote: > On Fri, Jul 14, 2017 at 11:04 PM, Magnus Hagander wrote: >> On Thu, Jul 13, 2017 at 9:31 AM, Thomas Munro >> wrote: >>> A post on planet.postgresql.org today reminded me that a colleague had >>> asked

Re: [HACKERS] More flexible LDAP auth search filters?

On Sun, Jul 16, 2017 at 1:08 AM, Thomas Munro wrote: > On Fri, Jul 14, 2017 at 11:04 PM, Magnus Hagander > wrote: > > On Thu, Jul 13, 2017 at 9:31 AM, Thomas Munro > > wrote: > >> A post on

Re: [HACKERS] More flexible LDAP auth search filters?

On Fri, Jul 14, 2017 at 11:04 PM, Magnus Hagander wrote: > On Thu, Jul 13, 2017 at 9:31 AM, Thomas Munro > wrote: >> A post on planet.postgresql.org today reminded me that a colleague had >> asked me to post this POC patch here for discussion.

Re: [HACKERS] More flexible LDAP auth search filters?

On Thu, Jul 13, 2017 at 9:31 AM, Thomas Munro wrote: > Hi hackers, > > A customer asked how to use pg_hba.conf LDAP search+bind > authentication to restrict logins to users in one of a small number of > groups. ldapsearchattribute only lets you make filters like

[HACKERS] More flexible LDAP auth search filters?

Hi hackers, A customer asked how to use pg_hba.conf LDAP search+bind authentication to restrict logins to users in one of a small number of groups. ldapsearchattribute only lets you make filters like "(foo=username)", so it couldn't be done. Is there any reason we should allow a more general