| From: | Jacob Champion <pchampion(at)vmware(dot)com> |
|---|---|
| To: | "andrew(at)dunslane(dot)net" <andrew(at)dunslane(dot)net>, "jkatz(at)postgresql(dot)org" <jkatz(at)postgresql(dot)org>, "tgl(at)sss(dot)pgh(dot)pa(dot)us" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: allowing "map" for password auth methods with clientcert=verify-full |
| Date: | 2021-10-27 16:49:21 |
| Message-ID: | 444946837c50b51f99aa96c59fb694cd11250ac9.camel@vmware.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, 2021-10-27 at 10:12 -0400, Andrew Dunstan wrote:
> Possibly slightly off topic, but
>
> The cert+map pattern is very useful in conjunction with pgbouncer. Using
> it with an auth query to get the password pgbouncer doesn't even need to
> have a list of users, and we in effect delegate authentication to
> pgbouncer.
>
> It would be nice to have + and @ expansion for the usernames in the
> ident file, like there is for pg_hba.conf.
(Probably is off-topic :D but +1 to the concept. Combined with LDAP
mapping that could make some of the ad-hoc LDAP-to-Postgres sync
scripts a lot simpler.)
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jonathan S. Katz | 2021-10-27 16:53:44 | Re: allowing "map" for password auth methods with clientcert=verify-full |
| Previous Message | Joshua Brindle | 2021-10-27 16:26:56 | [PATCH] remove is_member_of_role() from header, add can_set_role() |