| From: | David Fetter <david(at)fetter(dot)org> |
|---|---|
| To: | George Hafiz <george(at)hafiz(dot)uk> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Client Certificate Authentication Using Custom Fields (i.e. other than CN) |
| Date: | 2019-09-04 20:40:49 |
| Message-ID: | 20190904204049.GN21153@fetter.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Sep 04, 2019 at 05:24:15PM +0100, George Hafiz wrote:
> Hello,
>
> It is currently only possible to authenticate clients using certificates
> with the CN.
>
> I would like to propose that the field used to identify the client is
> configurable, e.g. being able to specify DN as the appropriate field. The
> reason being is that in some organisations, where you might want to use the
> corporate PKI, but where the CN of such certificates is not controlled.
>
> In my case, the DN of our corporate issued client certificates is
> controlled and derived from AD groups we are members of. Only users in
> those groups can request client certificates with a DN that is equal to the
> AD group ID. This would make DN a perfectly suitable drop-in replacement
> for Postgres client certificate authentication, but as it stands it is not
> possible to change the field used.
This all sounds interesting. Do you have a concrete proposal as to
how such a new interface would look in operation? Better yet, a PoC
patch implementing same?
Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2019-09-04 20:45:38 | Re: Index Skip Scan |
| Previous Message | Alvaro Herrera | 2019-09-04 20:38:21 | Re: using explicit_bzero |