Re: Allow matching whole DN from a client certificate

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Allow matching whole DN from a client certificate
Date: 2020-11-11 21:33:23
Message-ID: 20201111213323.GK16415@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Greetings,

* Andrew Dunstan (andrew(at)dunslane(dot)net) wrote:
> Currently we only match the Common Name (CN) of a client certificate
> when authenticating a user. The attached patch allows matching the
> entire Distinguished Name (DN) of the certificate. This is enabled by
> the HBA line option "clientname", which can take the values "CN" or
> "DN". "CN" is the default.
>
> The idea is that you might have a role with a CN of, say, "dbauser" in
> two different parts of the organization, say one with "OU=marketing" and
> the other with "OU=engineering", and you only want to allow access to
> one of them.
>
> This feature is best used in conjunction with a map. e.g. in testing I
> have this pg_hba.conf line:
>
> hostssl all all 127.0.0.1/32 cert clientname=DN map=dn
>
> and this pg_ident.conf line:
>
> dn /^C=US,ST=North.Carolina,O=test,OU=eng,CN=andrew$ andrew
>
> If people like this idea I'll add tests and docco and add it to the next CF.

Yeah, this is definitely a worthwhile feature.

Thanks,

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2020-11-11 22:18:04 Re: In-placre persistance change of a relation
Previous Message Euler Taveira 2020-11-11 21:00:00 recovery_target immediate timestamp