| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: pgsql: Allow matching the DN of a client certificate for authentication |
| Date: | 2021-04-01 18:03:11 |
| Message-ID: | 1778fbb3-8754-f336-1ffa-413fdbc61fdf@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
On 3/29/21 3:50 PM, Andrew Dunstan wrote:
> Allow matching the DN of a client certificate for authentication
>
> Currently we only recognize the Common Name (CN) of a certificate's
> subject to be matched against the user name. Thus certificates with
> subjects '/OU=eng/CN=fred' and '/OU=sales/CN=fred' will have the same
> connection rights. This patch provides an option to match the whole
> Distinguished Name (DN) instead of just the CN. On any hba line using
> client certificate identity, there is an option 'clientname' which can
> have values of 'DN' or 'CN'. The default is 'CN', the current procedure.
>
> The DN is matched against the RFC2253 formatted DN, which looks like
> 'CN=fred,OU=eng'.
>
> This facility of probably best used in conjunction with an ident map.
>
> Discussion: https://postgr.es/m/92e70110-9273-d93c-5913-0bccb6562740@dunslane.net
>
> Reviewed-By: Michael Paquier, Daniel Gustafsson, Jacob Champion
Belated credit where it's due: this work was originally based on a patch
from Kosmas Valianos of AppGate.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2021-04-01 19:31:15 | pgsql: Fix setvbuf()-induced crash in libpq_pipeline |
| Previous Message | Robert Haas | 2021-04-01 17:41:33 | pgsql: amcheck: Fix verify_heapam's tuple visibility checking rules. |