Re: [PATCH] user mapping extension to pg_ident.conf

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Lars Kanis <kanis(at)comcard(dot)de>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org, Magnus Hagander <magnus(at)hagander(dot)net>
Subject: Re: [PATCH] user mapping extension to pg_ident.conf
Date: 2009-06-29 19:01:12
Message-ID: 20090629190112.GS20436@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Lars,

* Lars Kanis (kanis(at)comcard(dot)de) wrote:
> The problem I have, is that I want to use an ordinary windows application,
> which connects to an arbitrary ODBC data source. This application stores a
> fixed username und password for the connection within it's own binary data
> file. It doesn't know anything about TLS-connection nor smartcard based
> authentication. All this is done in the libpg.dll.

To be honest, I think the problem as described above makes it a no-go.
What you're asking for is essentially "I want the server to ignore the
username passed in" which just doesn't make sense. It's unfortunate
that this Windows application using ODBC doesn't allow for the username
to be changed, but that's not something PG is going to solve for you. I
would recommend you work on fixing the application.

> It works fine so far, as long as I want to work with the sigle role given by
> the fixed username. I could map any cn-contents to this one user by writing:
> # MAPNAME SYSTEM-USERNAME PG-USERNAME
> ssl-user /.* fixed_user

What you really want is:
ssl-user user1_cn user1
ssl-user user2_cn user2
ssl-user user3_cn user3

or so..

And then have your application accept and use a username provided to it
when connecting to ODBC. Having your application pass some hard-coded
username to PG all the time just isn't going to work.

> I think the same problem occurs with kerberos authentication. You can't get
> the role based on your kerberos ticket, when the username is not set
> likewise.

With Kerberos you do pass in the username (or possibly the username is
"figured out" from the principal, but it's the same to the server side)
you actually want to be in the database as part of the connection and then
the validation is done against the Kerberos credentials. Perhaps your
Windows application also wouldn't work with Kerberos, but in the general
case people are logging in with their username, not with some fixed
username.

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Ms swati chande 2009-06-29 19:26:16 Re: Problem building from source on Windows
Previous Message Tom Lane 2009-06-29 18:57:59 Re: [PATCH] [v8.5] Security checks on largeobjects