| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Allow matching whole DN from a client certificate |
| Date: | 2020-11-11 21:33:23 |
| Message-ID: | 20201111213323.GK16415@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greetings,
* Andrew Dunstan (andrew(at)dunslane(dot)net) wrote:
> Currently we only match the Common Name (CN) of a client certificate
> when authenticating a user. The attached patch allows matching the
> entire Distinguished Name (DN) of the certificate. This is enabled by
> the HBA line option "clientname", which can take the values "CN" or
> "DN". "CN" is the default.
>
> The idea is that you might have a role with a CN of, say, "dbauser" in
> two different parts of the organization, say one with "OU=marketing" and
> the other with "OU=engineering", and you only want to allow access to
> one of them.
>
> This feature is best used in conjunction with a map. e.g. in testing I
> have this pg_hba.conf line:
>
> hostssl all all 127.0.0.1/32 cert clientname=DN map=dn
>
> and this pg_ident.conf line:
>
> dn /^C=US,ST=North.Carolina,O=test,OU=eng,CN=andrew$ andrew
>
> If people like this idea I'll add tests and docco and add it to the next CF.
Yeah, this is definitely a worthwhile feature.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2020-11-11 22:18:04 | Re: In-placre persistance change of a relation |
| Previous Message | Euler Taveira | 2020-11-11 21:00:00 | recovery_target immediate timestamp |