Home > mailing lists

Re: allowing "map" for password auth methods with clientcert=verify-full - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: allowing "map" for password auth methods with clientcert=verify-full
Date	October 26, 2021 22:26:08
Msg-id	113078.1635276368@sss.pgh.pa.us Whole thread Raw
In response to	allowing "map" for password auth methods with clientcert=verify-full ("Jonathan S. Katz" <jkatz@postgresql.org>)
Responses	Re: allowing "map" for password auth methods with clientcert=verify-full ("Jonathan S. Katz" <jkatz@postgresql.org>)
List	pgsql-hackers

Tree view

"Jonathan S. Katz" <jkatz@postgresql.org> writes:
> With certificate-based authentication methods and other methods, we 
> allow for users to specify a mapping in pg_ident, e.g. if one needs to 
> perform a rewrite on the CN to match the username that is specified 
> within PostgreSQL.

> It seems logical that we should allow for something like:
>     hostssl all all all scram-sha-256 clientcert=verify-full map=map
> so we can accept certificates that may have CNs that can be mapped to a 
> PostgreSQL user name.

I think this is conflating two different things: a mapping from the
username given in the startup packet, and a mapping from the TLS
certificate CN.  Using the same keyword and terminology for both
is going to lead to pain.  I'm on board with the idea if we can
disentangle that, though.

            regards, tom lane

pgsql-hackers by date:

From: "Jonathan S. Katz"
Date: 26 October 2021, 21:59:19
Subject: allowing "map" for password auth methods with clientcert=verify-full

From: Mahendra Singh Thalor
Date: 26 October 2021, 22:31:36
Subject: Re: Replication & recovery_min_apply_delay

Re: allowing "map" for password auth methods with clientcert=verify-full - Mailing list pgsql-hackers

Previous

Next