On 22.03.25 22:22, Andrew Jackson wrote:
Apologies, forgot to attach the patch in the prior email.
On Sat, Mar 22, 2025 at 4:10 PM Andrew Jackson
<andrewjackson...@gmail.com <mailto:andrewjackson...@gmail.com>> wrote:
Currently the LDAP usage in fe-connect.c does not explicitly set the
protocol version to v3. This causes issues with many LDAP servers as
they will often require clients to use the v3 protocol and disallow
any use of the v2 protocol. Further the other usage of LDAP in
postgres (in `backend/libpq/auth.c`) uses the v3 protocol.
This patch changes fe-connect.c so that it uses the v3 protocol
similar to `backend/libpq/auth.c`.
One further note is that I do not currently see any test coverage
over the LDAP functionality in `fe-connect.c`. I am happy to add
that to this patch if needed.
Here is a slightly polished version of this patch. I added an error
message, and changed the return code, but it's a bit confusing which one
might be the right one.
I also looked over the test file that you sent in a separate message.
That also looks generally ok, but I'm not so deep into LDAP right now
that I can give a detailed review.
My hunch right now is that we should probably take the patch that sets
the version option and consider it for backpatching. The patch with the
tests can be held for detailed review later.
From c1e85711e1b0c7efcd1fa55cc46db959e12d6cfb Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <pe...@eisentraut.org>
Date: Thu, 3 Apr 2025 15:06:13 +0200
Subject: [PATCH v2] libpq: Set LDAP protocol version 3
Some LDAP servers reject the default version 2 protocol. So set
version 3 before starting the connection. This matches how the
backend LDAP code has worked all along.
Co-authored-by: Andrew Jackson <andrewjackson...@gmail.com>
Discussion:
https://www.postgresql.org/message-id/flat/CAKK5BkHixcivSCA9pfd_eUp7wkLRhvQ6OtGLAYrWC%3Dk7E76LDQ%40mail.gmail.com
---
src/interfaces/libpq/fe-connect.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/interfaces/libpq/fe-connect.c
b/src/interfaces/libpq/fe-connect.c
index 715b5d5aff4..d45fd6bdcf9 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -5475,6 +5475,7 @@ ldapServiceLookup(const char *purl, PQconninfoOption
*options,
*entry;
struct berval **values;
LDAP_TIMEVAL time = {PGLDAP_TIMEOUT, 0};
+ const int ldapversion = LDAP_VERSION3;
if ((url = strdup(purl)) == NULL)
{
@@ -5606,6 +5607,15 @@ ldapServiceLookup(const char *purl, PQconninfoOption
*options,
return 3;
}
+ if ((rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ldapversion))
!= LDAP_SUCCESS)
+ {
+ libpq_append_error(errorMessage, "could not set LDAP protocol
version: %s",
+ ldap_err2string(rc));
+ free(url);
+ ldap_unbind(ld);
+ return 3;
+ }
+
/*
* Perform an explicit anonymous bind.
*
--
2.49.0
