Re: [HACKERS] LDAPS
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Thomas Munro <thomas.munro@enterprisedb.com>
Cc: Pg Hackers <pgsql-hackers@postgresql.org>
Date: 2018-01-03T15:34:12Z
Lists: pgsql-hackers
On 1/2/18 14:56, Thomas Munro wrote: >> A small point on the test changes. You change the test under >> "diagnostic message", but I'm not sure why. Do the changes invalidate >> the existing test? > > Yeah. In master, I was relying on the server rejecting ldaptls=1 > requests due to lack of configured certificate in order to generate a > diagnostic message. Now that there is a certificate, I needed to find > another way to get requests rejected with a diagnostic message. I > have added a brief note to the commit message about this. > >> We should probably also add another "note" call to introduce the LDAPS >> tests section. > > I realised that I should probably also include a new test for > ldaptls=1, so that we can see that both ways of doing TLS are working. > I added that test, and added a "note" to label the whole section as > "TLS". Please see attached. Committed. I added a test case for combining LDAPS with StartTLS. The OpenLDAP library sensibly rejects that, so we don't need to do anything ourselves to prevent that. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Allow ldaps when using ldap authentication
- 35c0754fadca 11.0 landed