On Fri, Feb 9, 2018 at 4:05 PM, Peter Eisentraut <peter.eisentr...@2ndquadrant.com> wrote: > After the LDAP code was switched to use ldap_initialize() as part of the > ldaps support, ldapi (LDAP over Unix-domain sockets) also works. I > noticed an old bug report (#13625) that asked for it. So I suggest this > patch to document this and add some tests. > > One flaw is that this only works when using the URL syntax. Providing a > separate option would require coding URL escaping, since ultimately an > URL must be composed and passed to ldap_initialize(). But since > OpenLDAP apparently now considers URLs to be the preferred form for > connection parameters, I'm comfortable just sticking to that format.
Nice. The test doesn't actually succeed in reloading the pg_hba.conf file though: 2018-02-09 16:41:15.886 NZDT [24472] LOG: received SIGHUP, reloading configuration files 2018-02-09 16:41:15.893 NZDT [24472] LOG: unsupported LDAP URL scheme: ldapi 2018-02-09 16:41:15.893 NZDT [24472] LOG: pg_hba.conf was not reloaded I think hba.c needs to learn to consider "ldapi" to be acceptable (after it parses the URL). Then I think when InitializeLDAPConnection() reconstitutes the URL with psprintf, it'll probably need to avoid sticking :port on the end. The fact that we take the URL to pieces and then stick it back together again may seem a bit odd, but it is required by the documentation (ldap_initialize() wants a URL "containing only the schema, the host, and the port fields"). I see there is another scheme called "cldap" (which seems to be something like LDAP over UDP). I wonder if anyone cares about that. -- Thomas Munro http://www.enterprisedb.com
