Fix handling of HBA ldapserver with multiple hostnames.

Commit 35c0754f failed to handle space-separated lists of alternative hostnames in ldapserver, when building a URI for ldap_initialize() (OpenLDAP). Such lists need to be expanded to space-separated URIs. Repair. Back-patch to 11, to fix bug report #15495. Author: Thomas Munro Reported-by: Renaud Navarro Discussion: https://postgr.es/m/15495-2c39fc196c95cd72%40postgresql.org
2018-11-13 17:39:36 +13:00 · 2018-11-13 17:39:36 +13:00 · 6b6c64a96d
commit 6b6c64a96d
parent 726ca18f94
2 changed files with 54 additions and 6 deletions
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@ -2352,12 +2352,44 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
 #else
 #ifdef HAVE_LDAP_INITIALIZE
 	{
-		char	   *uri;
+		const char *hostnames = port->hba->ldapserver;
+		char	   *uris = NULL;

-		uri = psprintf("%s://%s:%d", scheme, port->hba->ldapserver,
+		/*
+		 * We have a space-separated list of hostnames.  Convert it
+		 * to a space-separated list of URIs.
+		 */
+		do
+		{
+			const char *hostname;
+			size_t		hostname_size;
+			char	   *new_uris;
+
+			/* Find the leading hostname. */
+			hostname_size = strcspn(hostnames, " ");
+			hostname = pnstrdup(hostnames, hostname_size);
+
+			/* Append a URI for this hostname. */
+			new_uris = psprintf("%s%s%s://%s:%d",
+								uris ? uris : "",
+								uris ? " " : "",
+								scheme,
+								hostname,
 								port->hba->ldapport);
-		r = ldap_initialize(ldap, uri);
-		pfree(uri);
+
+			pfree(hostname);
+			if (uris)
+				pfree(uris);
+			uris = new_uris;
+
+			/* Step over this hostname and any spaces. */
+			hostnames += hostname_size;
+			while (*hostnames == ' ')
+				++hostnames;
+		} while (*hostnames);
+
+		r = ldap_initialize(ldap, uris);
+		pfree(uris);
 		if (r != LDAP_SUCCESS)
 		{
 			ereport(LOG,
--- a/src/test/ldap/t/001_auth.pl
+++ b/src/test/ldap/t/001_auth.pl
@ -6,7 +6,7 @@ use Test::More;

 if ($ENV{with_ldap} eq 'yes')
 {
-	plan tests => 19;
+	plan tests => 22;
 }
 else
 {
@ -179,6 +179,22 @@ test_access($node, 'test1', 2,
 $ENV{"PGPASSWORD"} = 'secret1';
 test_access($node, 'test1', 0, 'search+bind authentication succeeds');

+note "multiple servers";
+
+unlink($node->data_dir . '/pg_hba.conf');
+$node->append_conf('pg_hba.conf',
+	qq{local all all ldap ldapserver="$ldap_server $ldap_server" ldapport=$ldap_port ldapbasedn="$ldap_basedn"}
+);
+$node->restart;
+
+$ENV{"PGPASSWORD"} = 'wrong';
+test_access($node, 'test0', 2,
+	'search+bind authentication fails if user not found in LDAP');
+test_access($node, 'test1', 2,
+	'search+bind authentication fails with wrong password');
+$ENV{"PGPASSWORD"} = 'secret1';
+test_access($node, 'test1', 0, 'search+bind authentication succeeds');
+
 note "LDAP URLs";

 unlink($node->data_dir . '/pg_hba.conf');