LDAP Authentication Options

<ulink url="https://datatracker.ietf.org/doc/html/rfc4513">RFC 4513</ulink>. See also the <literal>ldapscheme</literal> option for an alternative. </para> </listitem> </varlistentry> </variablelist> </para> <para> Note that using <literal>ldapscheme</literal> or <literal>ldaptls</literal> only encrypts the traffic between the PostgreSQL server and the LDAP server. The connection between the PostgreSQL server and the PostgreSQL client will still be unencrypted unless SSL is used there as well. </para> <para> The following options are used in simple bind mode only: <variablelist> <varlistentry> <term><literal>ldapprefix</literal></term> <listitem> <para> String to prepend to the user name when forming the DN to bind as, when doing simple bind authentication. </para> </listitem> </varlistentry> <varlistentry> <term><literal>ldapsuffix</literal></term> <listitem> <para> String to append to the user name when forming the DN to bind as, when doing simple bind authentication. </para> </listitem> </varlistentry> </variablelist> </para> <para> The following options are used in search+bind mode only: <variablelist> <varlistentry> <term><literal>ldapbasedn</literal></term> <listitem> <para> Root DN to begin the search for the user in, when doing search+bind authentication. </para> </listitem> </varlistentry> <varlistentry> <term><literal>ldapbinddn</literal></term> <listitem> <para> DN of user to bind to the directory with to perform the search when doing search+bind authentication. </para> </listitem> </varlistentry> <varlistentry> <term><literal>ldapbindpasswd</literal></term> <listitem> <para> Password for user to bind to the directory with to perform the search when doing search+bind authentication. </para> </listitem> </varlistentry> <varlistentry> <term><literal>ldapsearchattribute</literal></term> <listitem> <para> Attribute to match against the user name in the search when doing search+bind authentication. If no attribute is specified, the <literal>uid</literal> attribute will be used. </para> </listitem> </varlistentry> <varlistentry> <term><literal>ldapsearchfilter</literal></term> <listitem> <para> The search filter to use when doing search+bind authentication. Occurrences of <literal>$username</literal> will be replaced with the user name. This allows for more flexible search filters than <literal>ldapsearchattribute</literal>. </para> </listitem> </varlistentry> </variablelist> </para> <para> The following option may be used as an alternative way to write some of the above LDAP options in a more compact and standard form: <variablelist> <varlistentry> <term><literal>ldapurl</literal></term> <listitem> <para> An <ulink url="https://datatracker.ietf.org/doc/html/rfc4516">RFC 4516</ulink> LDAP URL. The format is <synopsis> ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>][?[<replaceable>filter</replaceable>]]]] </synopsis> <replaceable>scope</replaceable> must be one of <literal>base</literal>, <literal>one</literal>, <literal>sub</literal>, typically the last. (The default is <literal>base</literal>, which is normally not useful in this application.) <replaceable>attribute</replaceable> can nominate a single attribute, in which case it is

This section describes the various options available for configuring LDAP authentication in PostgreSQL, including options for simple bind mode and search+bind mode, such as prefix, suffix, base DN, bind DN, and search filter, as well as a compact LDAP URL option that can be used as an alternative to some of the individual options.