Re: pgsql: Allow matching the DN of a client certificate for authentication
| От | Andrew Dunstan |
|---|---|
| Тема | Re: pgsql: Allow matching the DN of a client certificate for authentication |
| Дата | |
| Msg-id | 1778fbb3-8754-f336-1ffa-413fdbc61fdf@dunslane.net обсуждение исходный текст |
| Ответ на | pgsql: Allow matching the DN of a client certificate for authentication (Andrew Dunstan <andrew@dunslane.net>) |
| Список | pgsql-committers |
On 3/29/21 3:50 PM, Andrew Dunstan wrote: > Allow matching the DN of a client certificate for authentication > > Currently we only recognize the Common Name (CN) of a certificate's > subject to be matched against the user name. Thus certificates with > subjects '/OU=eng/CN=fred' and '/OU=sales/CN=fred' will have the same > connection rights. This patch provides an option to match the whole > Distinguished Name (DN) instead of just the CN. On any hba line using > client certificate identity, there is an option 'clientname' which can > have values of 'DN' or 'CN'. The default is 'CN', the current procedure. > > The DN is matched against the RFC2253 formatted DN, which looks like > 'CN=fred,OU=eng'. > > This facility of probably best used in conjunction with an ident map. > > Discussion: https://postgr.es/m/92e70110-9273-d93c-5913-0bccb6562740@dunslane.net > > Reviewed-By: Michael Paquier, Daniel Gustafsson, Jacob Champion Belated credit where it's due: this work was originally based on a patch from Kosmas Valianos of AppGate. cheers andrew
В списке pgsql-committers по дате отправления: