From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
---|---|
To: | "Stephen Frost" <sfrost(at)snowman(dot)net>, "Martijn van Oosterhout" <kleptog(at)svana(dot)org> |
Cc: | "Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov>, <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Design Considerations for New Authentication Methods |
Date: | 2006-11-02 19:58:37 |
Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCEA0FCEA@algol.sollentuna.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> > In postgresql the client and server can specify what certificates
> > thay'll accept, there are no default trusted CAs. You can
> require the
> > client to have a certain certificate, for example. The
> client can also
> > verify the server has the expected certificate. How much
> it's used I
> > don't know, but SSL does support it.
>
> I don't think you can tie the SSL certificate to a specific
> user though... I certainly can't recall any way to do that
> today in PG.
You can't. It's been talked about, but never done.
> > > I guess this discussion makes it sound like I've
> convinced myself to
> > > use SASL. I still need to resolve how to do name translation.
> > > PostgreSQL wants a single unix-like name, and I haven't looked at
> > > how to properly do that translation from SASL (or GSSAPI) names.
> >
> > Usually a field in the certificate is the username
> postgresql wants,
> > which can be mapped via a table. For SASL I don't know.
>
> I expect we'll need a mapping of some sort, or perhaps a
> sasl_regexp or similar to what is done in OpenLDAP. I don't
> recall PG supporting using the DN from a client cert in an
> SSL connection as a PG username but perhaps I missed it somewhere...
You can't today.
If we want to add username mapping in SASL or whatever, it might be a
good idea to look at generalizing the authuser-to-dbuser mapping stuff
(like we have for identmap now) into something that can be used for all
external auth methods. Instead of inventing one for every method.
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | korryd | 2006-11-02 20:02:06 | Re: Coding style question |
Previous Message | Stephen Frost | 2006-11-02 19:55:52 | Re: Design Considerations for New Authentication Methods |