Skip site navigation (1) Skip section navigation (2)

Re: [PATCH] user mapping extension to pg_ident.conf

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Lars Kanis <kanis(at)comcard(dot)de>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org,Magnus Hagander <magnus(at)hagander(dot)net>
Subject: Re: [PATCH] user mapping extension to pg_ident.conf
Date: 2009-06-29 19:01:12
Message-ID: 20090629190112.GS20436@tamriel.snowman.net (view raw or flat)
Thread:
Lists: pgsql-hackers
Lars,

* Lars Kanis (kanis(at)comcard(dot)de) wrote:
> The problem I have, is that I want to use an ordinary windows application, 
> which connects to an arbitrary ODBC data source. This application stores a 
> fixed username und password for the connection within it's own binary data 
> file. It doesn't know anything about TLS-connection nor smartcard based 
> authentication. All this is done in the libpg.dll.

To be honest, I think the problem as described above makes it a no-go.
What you're asking for is essentially "I want the server to ignore the
username passed in" which just doesn't make sense.  It's unfortunate
that this Windows application using ODBC doesn't allow for the username
to be changed, but that's not something PG is going to solve for you.  I
would recommend you work on fixing the application.

> It works fine so far, as long as I want to work with the sigle role given by 
> the fixed username. I could map any cn-contents to this one user by writing:
> # MAPNAME     SYSTEM-USERNAME    PG-USERNAME
> ssl-user      /.*                fixed_user

What you really want is:
ssl-user      user1_cn     user1
ssl-user      user2_cn     user2
ssl-user      user3_cn     user3

or so..

And then have your application accept and use a username provided to it
when connecting to ODBC.  Having your application pass some hard-coded
username to PG all the time just isn't going to work.

> I think the same problem occurs with kerberos authentication. You can't get 
> the role based on your kerberos ticket, when the username is not set 
> likewise.

With Kerberos you do pass in the username (or possibly the username is
"figured out" from the principal, but it's the same to the server side)
you actually want to be in the database as part of the connection and then
the validation is done against the Kerberos credentials.  Perhaps your
Windows application also wouldn't work with Kerberos, but in the general
case people are logging in with their username, not with some fixed
username.

	Thanks,

		Stephen

In response to

Responses

pgsql-hackers by date

Next:From: Ms swati chandeDate: 2009-06-29 19:26:16
Subject: Re: Problem building from source on Windows
Previous:From: Tom LaneDate: 2009-06-29 18:57:59
Subject: Re: [PATCH] [v8.5] Security checks on largeobjects

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group