Re: Design Considerations for New Authentication Methods

From: "Magnus Hagander" <mha(at)sollentuna(dot)net>
To: "Stephen Frost" <sfrost(at)snowman(dot)net>, "Martijn van Oosterhout" <kleptog(at)svana(dot)org>
Cc: "Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov>, <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Design Considerations for New Authentication Methods
Date: 2006-11-02 19:58:37
Message-ID: 6BCB9D8A16AC4241919521715F4D8BCEA0FCEA@algol.sollentuna.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> > In postgresql the client and server can specify what certificates
> > thay'll accept, there are no default trusted CAs. You can
> require the
> > client to have a certain certificate, for example. The
> client can also
> > verify the server has the expected certificate. How much
> it's used I
> > don't know, but SSL does support it.
>
> I don't think you can tie the SSL certificate to a specific
> user though... I certainly can't recall any way to do that
> today in PG.

You can't. It's been talked about, but never done.

> > > I guess this discussion makes it sound like I've
> convinced myself to
> > > use SASL. I still need to resolve how to do name translation.
> > > PostgreSQL wants a single unix-like name, and I haven't looked at
> > > how to properly do that translation from SASL (or GSSAPI) names.
> >
> > Usually a field in the certificate is the username
> postgresql wants,
> > which can be mapped via a table. For SASL I don't know.
>
> I expect we'll need a mapping of some sort, or perhaps a
> sasl_regexp or similar to what is done in OpenLDAP. I don't
> recall PG supporting using the DN from a client cert in an
> SSL connection as a PG username but perhaps I missed it somewhere...

You can't today.
If we want to add username mapping in SASL or whatever, it might be a
good idea to look at generalizing the authuser-to-dbuser mapping stuff
(like we have for identmap now) into something that can be used for all
external auth methods. Instead of inventing one for every method.

//Magnus

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message korryd 2006-11-02 20:02:06 Re: Coding style question
Previous Message Stephen Frost 2006-11-02 19:55:52 Re: Design Considerations for New Authentication Methods