| From: | Justin Pryzby <pryzby(at)telsasoft(dot)com> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | Jacob Champion <pchampion(at)vmware(dot)com>, daniel(at)yesql(dot)se, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Allow matching whole DN from a client certificate |
| Date: | 2021-02-27 19:37:47 |
| Message-ID: | 20210227193747.GZ20769@telsasoft.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, Jan 30, 2021 at 04:18:12PM -0500, Andrew Dunstan wrote:
> @@ -610,6 +610,19 @@ hostnogssenc <replaceable>database</replaceable> <replaceable>user</replaceabl
> the verification of client certificates with any authentication
> method that supports <literal>hostssl</literal> entries.
> </para>
> + <para>
> + On any record using client certificate authentication, that is one
> + using the <literal>cert</literal> authentication method or one
> + using the <literal>clientcert</literal> option, you can specify
I suggest instead of "that is" to instead parenthesize this part:
| (one using the <literal>cert</literal> authentication method or the
| <literal>clientcert</literal> option), you can specify
> + which part of the client certificate credentials to match using
> + the <literal>clientname</literal> option. This option can have one
> + of two values. If you specify <literal>clientname=CN</literal>, which
> + is the default, the username is matched against the certificate's
> + <literal>Common Name (CN)</literal>. If instead you specify
> + <literal>clientname=DN</literal> the username is matched against the
> + entire <literal>Distinguished Name (DN)</literal> of the certificate.
> + This option is probably best used in comjunction with a username map.
spell: conjunction
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joel Jacobson | 2021-02-27 19:51:27 | regexp_positions() |
| Previous Message | AJG | 2021-02-27 17:40:58 | Re: Improving connection scalability: GetSnapshotData() |