On Mon, Feb 1, 2021 at 10:36 PM Jacob Champion <pchampion@vmware.com> wrote:
>
> On Sun, 2021-01-31 at 12:27 +0100, Magnus Hagander wrote:
> > > (There's also the fact that I think pg_ident mapping for LDAP would be
> > > just as useful as it is for GSS or certs. That's for a different
> > > conversation.)
> >
> > Specifically for search+bind, I would assume?
>
> Even for the simple bind case, I think it'd be useful to be able to
> perform a pg_ident mapping of
>
> ldapmap /.* ldapuser
>
> so that anyone who is able to authenticate against the LDAP server is
> allowed to assume the ldapuser role. (For this to work, you'd need to
> be able to specify your LDAP username as a connection option, similar
> to how you can specify a client certificate, so that you could set
> PGUSER=ldapuser.)
>
> But again, that's orthogonal to the current discussion.
Right. I guess that's what I mean -- *just* adding support for user
mapping wouldn't be helpful. You'd have to change how the actual
authentication is done. The way that it's done now, mapping makes no
sense.
--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/