|From:||Andrew Dunstan <andrew(at)dunslane(dot)net>|
|To:||Daniel Gustafsson <daniel(at)yesql(dot)se>|
|Cc:||Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>|
|Subject:||Re: Allow matching whole DN from a client certificate|
|Views:||Raw Message | Whole Thread | Download mbox | Resend email|
On 1/29/21 8:18 AM, Daniel Gustafsson wrote:
>> On 28 Jan 2021, at 23:10, Andrew Dunstan <andrew(at)dunslane(dot)net> wrote:
>> On 1/28/21 11:39 AM, Jacob Champion wrote:
>>> Unfortunately I don't really know what that solution should look like.
>>> A DSL for filtering on RDNs would be a lot of work, but it could
>>> potentially allow LDAP to be mapped through pg_ident as well
>> In the end it will be up to users to come up with expressions that meet
>> their usage. Yes they could get it wrong, but then they can get so many
>> things wrong ;-)
> My main concern with this isn't that it's easy to get it wrong, but that it may
> end up being hard to get it right (with false positives in the auth path as a
> result). Right now I'm not sure where it leans.
> Maybe it will be easier to judge the proposal when the documentation has been
> updated warnings for the potential pitfalls?
Feel free to make suggestions for wording :-)
|Next Message||Yugo NAGATA||2021-01-29 14:06:59||Re: Is Recovery actually paused?|
|Previous Message||Alexander Korotkov||2021-01-29 13:51:03||Re: Phrase search vs. multi-lexeme tokens|