Hi all,
this patch adds the possibility to map the login-rolename to a different
rolename actually used for permissions.
What is it used for?
I'm working with smartcard based TLS-authentication to connect to the PG
server. Authentication is done with the keys and certificates from the card
within the TLS handshake. Certificate-CN and login-username have to be the
same or have to match by the "pg_ident.conf". The role actually used for
permissions is always the login-username. This patch allowes, to change the
actually permissions to a role based on the certificate-CN. It is realised by
an additional column in "pg_ident.conf".
When using ODBC, you have to setup a fixed username which is used for login.
Different permissions depending on the CN of the certificate on the current
smartcard could be achieved by the following line:
# MAPNAME SYSTEM-USERNAME PG-USERNAME EFFECTIVE-USERNAME
ssl-user /(.*) dummy \1
The extension could be similar used for kerberos authentication, too.
Bytheway I refactored the pg_ident-code a little bit, to avoid duplicated code
and to allow substitution of more than one match (\2, \3 etc).
Questions (I'm quite new to the PG-sources and used to write Ruby code):
- Is this something useful - or is there a much easier way?
- Are there any implementation shortcomings?
regards
Lars Kanis
