Re: localhost ssl

On 1/22/21 11:49 AM, Rob Sargent wrote:
> 
> 
>> > Also I'm guessing you have ssl = on in postgresql.conf and server 
>> cert setup.
> 
> Sorry, here's a likely explaination from postgresql.conf
> 
> ssl = on
> #ssl_ca_file = ''
> 
> ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
> #ssl_crl_file = ''
> 
> ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
> 
> I have no recollection of making those choices (or what I had for 
> breakfast).
> 
>>
>> If you want to enforce SSL then:
>>
>> "
>> hostssl
>>
>>      This record matches connection attempts made using TCP/IP, but 
>> only when the connection is made with SSL encryption.
> 
> Do you have any thoughts on question #2?

No, as I really have no idea what:

"In production I hope to name the role with each connection as I want 
the search_path set by the connecting role. ..."

means?

I would point out this:

https://www.postgresql.org/docs/12/auth-cert.html

"User name mapping can be used to allow cn to be different from the 
database user name."

which leads to this:

https://www.postgresql.org/docs/12/auth-username-maps.html



-- 
Adrian Klaver
adrian.klaver@aklaver.com