| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Allow matching whole DN from a client certificate |
| Date: | 2020-11-11 20:44:29 |
| Message-ID: | 92e70110-9273-d93c-5913-0bccb6562740@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Currently we only match the Common Name (CN) of a client certificate
when authenticating a user. The attached patch allows matching the
entire Distinguished Name (DN) of the certificate. This is enabled by
the HBA line option "clientname", which can take the values "CN" or
"DN". "CN" is the default.
The idea is that you might have a role with a CN of, say, "dbauser" in
two different parts of the organization, say one with "OU=marketing" and
the other with "OU=engineering", and you only want to allow access to
one of them.
This feature is best used in conjunction with a map. e.g. in testing I
have this pg_hba.conf line:
hostssl all all 127.0.0.1/32 cert clientname=DN map=dn
and this pg_ident.conf line:
dn /^C=US,ST=North.Carolina,O=test,OU=eng,CN=andrew$ andrew
If people like this idea I'll add tests and docco and add it to the next CF.
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
"
| Attachment | Content-Type | Size |
|---|---|---|
| ssl-match-client-cert-dn-v1.patch | text/x-patch | 6.3 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | John Naylor | 2020-11-11 20:45:06 | Re: cutting down the TODO list thread |
| Previous Message | Daniel Gustafsson | 2020-11-11 20:07:39 | Re: Add docs stub for recovery.conf |