BUG #15495: Ldap authentication not working with multiple server in Postgresql 11

The following bug has been logged on the website:

Bug reference: 15495
Logged by: Renaud Navarro
Email address: rnavarro(at)nocibe(dot)fr
PostgreSQL version: 11.1
Operating system: Oracle Linux 7.5
Description:

Hi

After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
authentication no longer work with multiple ldap server specified.
The pg_hba.conf have the following line :
hostssl all all 172.20.0.0/16 ldap
ldapserver="dcinfrap01s.nocibe.net dcinfrap02s.nocibe.net"
ldapprefix="NOCIBE\" ldaptls=1 "
I have the following error in log file :
2018-11-09 16:32:45.407 CET [29629] LOG: could not initialize LDAP: Bad
parameter to an ldap routine
2018-11-09 16:32:45.408 CET [29629] FATAL: LDAP authentication failed for
user "admin_rnavarro"
If I modify the pg_hba.conf with one LDAP server, the authentication is
working.
The same entry with postgresql 10.5 work perfectly

Thanks for helping me

Kind Regards

On Sat, Nov 10, 2018 at 4:48 AM PG Bug reporting form
<noreply(at)postgresql(dot)org> wrote:
> The following bug has been logged on the website:
>
> Bug reference: 15495
> Logged by: Renaud Navarro
> Email address: rnavarro(at)nocibe(dot)fr
> PostgreSQL version: 11.1
> Operating system: Oracle Linux 7.5
> Description:
>
> Hi
>
> After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
> authentication no longer work with multiple ldap server specified.
> The pg_hba.conf have the following line :
> hostssl all all 172.20.0.0/16 ldap
> ldapserver="dcinfrap01s.nocibe.net dcinfrap02s.nocibe.net"
> ldapprefix="NOCIBE\" ldaptls=1 "
> I have the following error in log file :
> 2018-11-09 16:32:45.407 CET [29629] LOG: could not initialize LDAP: Bad
> parameter to an ldap routine
> 2018-11-09 16:32:45.408 CET [29629] FATAL: LDAP authentication failed for
> user "admin_rnavarro"
> If I modify the pg_hba.conf with one LDAP server, the authentication is
> working.
> The same entry with postgresql 10.5 work perfectly

Thanks for the report. I see the problem. In commit
35c0754fadca8010955f6b10cb47af00bdbe1286 we switched from ldap_init()
to ldap_initialize() because the newer interface supports LDAPS. To
do that we have to build a URI from the given protocol, server and
port. I overlooked the case where multiple servers are specified in
ldapserver. If you say ldapserver="a b c" then we generate a URI
"ldap://a b c:389", but it looks like we should instead generate a URI
list "ldap://a:389 ldap://b:389 ldap://c:389".

Unfortunately there doesn't seem to be an obvious workaround until we
can ship a fix in the next point release, because ldapurl doesn't
support the space-separated list format either.

--
Thomas Munro
http://www.enterprisedb.com

On Sat, Nov 10, 2018 at 8:28 AM Thomas Munro
<thomas(dot)munro(at)enterprisedb(dot)com> wrote:
> On Sat, Nov 10, 2018 at 4:48 AM PG Bug reporting form
> <noreply(at)postgresql(dot)org> wrote:
> > The following bug has been logged on the website:
> >
> > Bug reference: 15495
> > Logged by: Renaud Navarro
> > Email address: rnavarro(at)nocibe(dot)fr
> > PostgreSQL version: 11.1
> > Operating system: Oracle Linux 7.5
> > Description:
> >
> > Hi
> >
> > After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
> > authentication no longer work with multiple ldap server specified.
> > The pg_hba.conf have the following line :
> > hostssl all all 172.20.0.0/16 ldap
> > ldapserver="dcinfrap01s.nocibe.net dcinfrap02s.nocibe.net"
> > ldapprefix="NOCIBE\" ldaptls=1 "
> > I have the following error in log file :
> > 2018-11-09 16:32:45.407 CET [29629] LOG: could not initialize LDAP: Bad
> > parameter to an ldap routine
> > 2018-11-09 16:32:45.408 CET [29629] FATAL: LDAP authentication failed for
> > user "admin_rnavarro"
> > If I modify the pg_hba.conf with one LDAP server, the authentication is
> > working.
> > The same entry with postgresql 10.5 work perfectly
>
> Thanks for the report. I see the problem. In commit
> 35c0754fadca8010955f6b10cb47af00bdbe1286 we switched from ldap_init()
> to ldap_initialize() because the newer interface supports LDAPS. To
> do that we have to build a URI from the given protocol, server and
> port. I overlooked the case where multiple servers are specified in
> ldapserver. If you say ldapserver="a b c" then we generate a URI
> "ldap://a b c:389", but it looks like we should instead generate a URI
> list "ldap://a:389 ldap://b:389 ldap://c:389".

Here's a draft patch.

--
Thomas Munro
http://www.enterprisedb.com

On Sat, Nov 10, 2018 at 11:45 AM Thomas Munro
<thomas(dot)munro(at)enterprisedb(dot)com> wrote:
> On Sat, Nov 10, 2018 at 8:28 AM Thomas Munro
> <thomas(dot)munro(at)enterprisedb(dot)com> wrote:
> > On Sat, Nov 10, 2018 at 4:48 AM PG Bug reporting form
> > <noreply(at)postgresql(dot)org> wrote:
> > > After upgrade database from postgresql 10.5 to postgresql 11.1, LDAP
> > > authentication no longer work with multiple ldap server specified.

> > Thanks for the report. I see the problem. In commit
> > 35c0754fadca8010955f6b10cb47af00bdbe1286 we switched from ldap_init()
> > to ldap_initialize() because the newer interface supports LDAPS. To
> > do that we have to build a URI from the given protocol, server and
> > port. I overlooked the case where multiple servers are specified in
> > ldapserver. If you say ldapserver="a b c" then we generate a URI
> > "ldap://a b c:389", but it looks like we should instead generate a URI
> > list "ldap://a:389 ldap://b:389 ldap://c:389".
>
> Here's a draft patch.

I did some testing with various multi-server configurations, added a
simple two hostname case to the regression tests and pushed this to
master and 11. Thanks again for the report.

--
Thomas Munro
http://www.enterprisedb.com