| From: | George Hafiz <george(at)hafiz(dot)uk> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Client Certificate Authentication Using Custom Fields (i.e. other than CN) |
| Date: | 2019-09-04 16:24:15 |
| Message-ID: | CAM08e9bY1q2a6O595YrYF1Cz+kWBYkYF7Vw-_bz7q0pUsWyU5A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello,
It is currently only possible to authenticate clients using certificates
with the CN.
I would like to propose that the field used to identify the client is
configurable, e.g. being able to specify DN as the appropriate field. The
reason being is that in some organisations, where you might want to use the
corporate PKI, but where the CN of such certificates is not controlled.
In my case, the DN of our corporate issued client certificates is
controlled and derived from AD groups we are members of. Only users in
those groups can request client certificates with a DN that is equal to the
AD group ID. This would make DN a perfectly suitable drop-in replacement
for Postgres client certificate authentication, but as it stands it is not
possible to change the field used.
Best regards,
George
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tomas Vondra | 2019-09-04 19:17:10 | Re: [PATCH] Incremental sort (was: PoC: Partial sort) |
| Previous Message | Sergei Kornilov | 2019-09-04 16:19:47 | Re: Planning counters in pg_stat_statements (using pgss_store) |