Re: Allow matching whole DN from a client certificate
| От | Andrew Dunstan |
|---|---|
| Тема | Re: Allow matching whole DN from a client certificate |
| Дата | |
| Msg-id | ff2d915e-fe47-3f06-d72f-e0807871cf16@dunslane.net обсуждение исходный текст |
| Ответ на | Re: Allow matching whole DN from a client certificate (Daniel Gustafsson <daniel@yesql.se>) |
| Список | pgsql-hackers |
On 1/29/21 8:18 AM, Daniel Gustafsson wrote: >> On 28 Jan 2021, at 23:10, Andrew Dunstan <andrew@dunslane.net> wrote: >> On 1/28/21 11:39 AM, Jacob Champion wrote: >>> Unfortunately I don't really know what that solution should look like. >>> A DSL for filtering on RDNs would be a lot of work, but it could >>> potentially allow LDAP to be mapped through pg_ident as well >> In the end it will be up to users to come up with expressions that meet >> their usage. Yes they could get it wrong, but then they can get so many >> things wrong ;-) > My main concern with this isn't that it's easy to get it wrong, but that it may > end up being hard to get it right (with false positives in the auth path as a > result). Right now I'm not sure where it leans. > > Maybe it will be easier to judge the proposal when the documentation has been > updated warnings for the potential pitfalls? > Feel free to make suggestions for wording :-) cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
В списке pgsql-hackers по дате отправления: