| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Jacob Champion <pchampion(at)vmware(dot)com> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net> |
| Subject: | Re: Proposal: Save user's original authenticated identity for logging |
| Date: | 2021-02-01 22:15:44 |
| Message-ID: | CABUevEzJg=pme-dEn1ER21nBvGRvw-XCxErQYZQo0ktKvNpbzA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Feb 1, 2021 at 10:36 PM Jacob Champion <pchampion(at)vmware(dot)com> wrote:
>
> On Sun, 2021-01-31 at 12:27 +0100, Magnus Hagander wrote:
> > > (There's also the fact that I think pg_ident mapping for LDAP would be
> > > just as useful as it is for GSS or certs. That's for a different
> > > conversation.)
> >
> > Specifically for search+bind, I would assume?
>
> Even for the simple bind case, I think it'd be useful to be able to
> perform a pg_ident mapping of
>
> ldapmap /.* ldapuser
>
> so that anyone who is able to authenticate against the LDAP server is
> allowed to assume the ldapuser role. (For this to work, you'd need to
> be able to specify your LDAP username as a connection option, similar
> to how you can specify a client certificate, so that you could set
> PGUSER=ldapuser.)
>
> But again, that's orthogonal to the current discussion.
Right. I guess that's what I mean -- *just* adding support for user
mapping wouldn't be helpful. You'd have to change how the actual
authentication is done. The way that it's done now, mapping makes no
sense.
--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2021-02-01 22:16:11 | Re: Key management with tests |
| Previous Message | Stephen Frost | 2021-02-01 22:01:26 | Re: Proposal: Save user's original authenticated identity for logging |