Re: DNS SRV support for LDAP authentication

Graham Leggett <minfrin@sharp.fm>

From: Graham Leggett <minfrin@sharp.fm>
To: Thomas Munro <thomas.munro@enterprisedb.com>
Cc: Pg Hackers <pgsql-hackers@postgresql.org>
Date: 2019-02-02T11:34:56Z
Lists: pgsql-hackers
On 02 Feb 2019, at 01:57, Thomas Munro <thomas.munro@enterprisedb.com> wrote:

> On Sat, Feb 2, 2019 at 9:25 AM Graham Leggett <minfrin@sharp.fm> wrote:
>> On 25 Sep 2018, at 04:09, Thomas Munro <thomas.munro@enterprisedb.com> wrote:
>>> Some people like to use DNS SRV records to advertise LDAP servers on
>>> their network.  Microsoft Active Directory is usually (always?) set up
>>> that way.  Here is a patch to allow our LDAP auth module to support
>>> that kind of discovery.
>> 
>> Does this support SSL/TLS?
> 
> I didn't try it myself but I found several claims that it works.  I
> see complaints that it always looks for _ldap._tcp and not _ldaps._tcp
> as you might expect when using ldascheme=ldaps, but that doesn't seem
> to be a big problem.  As for ldaptls=1, that must work because it
> doesn't even negotiate that until after the connection is made.

If the LDAP server was bound to port 636, how would the client know to use a direct SSL/TLS connection and not STARTTLS?

Regards,
Graham
—



Commits

  1. Add DNS SRV support for LDAP server discovery.