On Wed, May 12, 2021 at 10:06:05AM -0500, Justin Pryzby wrote:
> On Tue, May 11, 2021 at 10:45:04PM -0400, Bruce Momjian wrote:
> > OK, so this is where I am confused. I searched for distinguished name
> > (DN) and came up with DN being a concatentation of all the fields
> > provided to the certificate signing request (CSR). Is that right?
> > Wouldn't people test _parts_ of the DN, rather than all of it.
>
> +Andrew
>
> The full DN is probably not the postgres username, so the docs suggest that:
> | This option is probably best used in conjunction with a username map.
>
> You're right that clientname=DN allows testing *parts*, of the DN, but I don't
> know if there's any reason to believe that's the typical use case.
>
> The primary utility of clientname=DN seems to be that the CN alone is (or can
> be) ambiguous - matching on the full DN is intended to resolve that. I think
> the release notes should focus on this.
OK, that matches what I thought. Here is my updated version:
<listitem>
<!--
Author: Andrew Dunstan <andrew@dunslane.net>
2021-03-29 [6d7a6feac] Allow matching the DN of a client certificate for
authen
-->
<para>
Allow the certificate's distinguished name (DN) to be matched for client
certificate authentication (Andrew Dunstan)
</para>
<para>
--> The new pg_hba.conf keyword "clientname=DN" allows comparison with
--> certificate attributes beyond the CN and can be combined with ident
--> maps.
</para>
</listitem>
Technically these are attributes of the certificate signing request
(CSR), but I didn't want to mention that here.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
If only the physical world exists, free will is an illusion.
