| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Albrecht Dreß <albrecht(dot)dress(at)arcor(dot)de> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Q: cert authentication and user remapping fails |
| Date: | 2019-12-06 17:52:44 |
| Message-ID: | 17778.1575654764@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Albrecht =?iso-8859-1?b?RHJl3w==?= <albrecht(dot)dress(at)arcor(dot)de> writes:
> In my installation, the user certificate CN's contain human-readable names (utf8, with spaces, etc.). I want *all* users connecting with cert authentication to be mapped to a certain database role.
I don't think that the user name mapping feature works in the way
you are hoping it does. According to
https://www.postgresql.org/docs/current/auth-username-maps.html
what the map does is to specify allowed combinations of the validated
external user name ("Albrecht Dreß" in your example) and the database
role the user asked to connect as. So given
> certaccess /^.*$ testuser
it should be possible to do
psql -h dbserver -U testuser testdb
with a certificate that has CN="Albrecht Dreß" (or anything else).
But the map won't result in silently connecting you as some other
role than the one you asked for.
(I haven't actually tried this, but that's how I read the docs.)
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Justin | 2019-12-06 18:06:55 | Re: upgrade and migrate |
| Previous Message | Albrecht Dreß | 2019-12-06 17:22:18 | Q: cert authentication and user remapping fails |