[PATCH] Support pg_ident mapping for LDAP
| От | Jacob Champion |
|---|---|
| Тема | [PATCH] Support pg_ident mapping for LDAP |
| Дата | |
| Msg-id | 1a61806047c536e7528b943d0cfe12608118ca31.camel@vmware.com обсуждение исходный текст |
| Ответы |
Re: [PATCH] Support pg_ident mapping for LDAP
|
| Список | pgsql-hackers |
Hello, There was a brief discussion [1] back in February on allowing user mapping for LDAP, in order to open up some more complex authorization logic (and slightly reduce the need for LDAP-to-Postgres user synchronization). Attached is an implementation of this that separates the LDAP authentication and authorization identities, and lets the client control the former with an `ldapuser` connection option or its associated PGLDAPUSER envvar. This isn't as useful as, say, authorization based on LDAP attributes or group membership, but it seems like a necessary step towards that feature, since we'll need to separate authn and authz anyway. This provides some feature parity with other auth methods like gss, and it solves the "let anyone who can authenticate against LDAP connect as X role" use case trivially. There is precedent for allowing the DBA to choose whether to map a bare username or the "full" identity expansion -- see for example include_realm=1 for gss and clientname=DN for cert -- so I added an ldap_map_dn=1 option which can be used to map the whole DN. (I'm not entirely convinced that it's useful, but maybe there are some deployments that put authorization information into the LDAP topology, like "everyone in this particular subtree is an admin".) Unlike include_realm, this is only allowed with an explicit map. I don't anticipate people using a full DN as a database username, and I'm worried that doing that without normalization could cause some major confusion and/or security problems. When using a newer client with an older server, the new `ldapuser` option will cause a connection failure. For the case where PGUSER and PGLDAPUSER are identical, that failure is technically unnecessary, and I briefly considered stripping the `ldapuser` option from the connection string in that case so that we could have wider compatibility. I now think that's a bad idea, because suddenly introducing a hard connection failure (or new success) just because your PGLDAPUSER variable changed would be a major support hazard. The TODO is still in the code to remind me to have the conversation. WDYT? --Jacob [1] https://www.postgresql.org/message-id/94f6b945f9ca8cabe2b9d2a38ec19dca6f90a083.camel%40vmware.com
Вложения
В списке pgsql-hackers по дате отправления: