Re: Client Certificate Authentication Using Custom Fields (i.e.other than CN)
| От | David Fetter |
|---|---|
| Тема | Re: Client Certificate Authentication Using Custom Fields (i.e.other than CN) |
| Дата | |
| Msg-id | 20190904204049.GN21153@fetter.org обсуждение исходный текст |
| Ответ на | Client Certificate Authentication Using Custom Fields (i.e. otherthan CN) (George Hafiz <george@hafiz.uk>) |
| Ответы |
Re: Client Certificate Authentication Using Custom Fields (i.e. otherthan CN)
|
| Список | pgsql-hackers |
On Wed, Sep 04, 2019 at 05:24:15PM +0100, George Hafiz wrote: > Hello, > > It is currently only possible to authenticate clients using certificates > with the CN. > > I would like to propose that the field used to identify the client is > configurable, e.g. being able to specify DN as the appropriate field. The > reason being is that in some organisations, where you might want to use the > corporate PKI, but where the CN of such certificates is not controlled. > > In my case, the DN of our corporate issued client certificates is > controlled and derived from AD groups we are members of. Only users in > those groups can request client certificates with a DN that is equal to the > AD group ID. This would make DN a perfectly suitable drop-in replacement > for Postgres client certificate authentication, but as it stands it is not > possible to change the field used. This all sounds interesting. Do you have a concrete proposal as to how such a new interface would look in operation? Better yet, a PoC patch implementing same? Best, David. -- David Fetter <david(at)fetter(dot)org> http://fetter.org/ Phone: +1 415 235 3778 Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
В списке pgsql-hackers по дате отправления: