Home > mailing lists

Re: allowing "map" for password auth methods with clientcert=verify-full - Mailing list pgsql-hackers

From	Jacob Champion
Subject	Re: allowing "map" for password auth methods with clientcert=verify-full
Date	October 27, 2021 19:49:21
Msg-id	444946837c50b51f99aa96c59fb694cd11250ac9.camel@vmware.com Whole thread Raw
In response to	Re: allowing "map" for password auth methods with clientcert=verify-full (Andrew Dunstan <andrew@dunslane.net>)
List	pgsql-hackers

Tree view

On Wed, 2021-10-27 at 10:12 -0400, Andrew Dunstan wrote:
> Possibly slightly off topic, but
> 
> The cert+map pattern is very useful in conjunction with pgbouncer. Using
> it with an auth query to get the password pgbouncer doesn't even need to
> have a list of users, and we in effect delegate authentication to
> pgbouncer.
> 
> It would be nice to have + and @ expansion for the usernames in the
> ident file, like there is for pg_hba.conf.

(Probably is off-topic :D but +1 to the concept. Combined with LDAP
mapping that could make some of the ad-hoc LDAP-to-Postgres sync
scripts a lot simpler.)

--Jacob

pgsql-hackers by date:

From: Joshua Brindle
Date: 27 October 2021, 19:26:56
Subject: [PATCH] remove is_member_of_role() from header, add can_set_role()

From: "Jonathan S. Katz"
Date: 27 October 2021, 19:53:44
Subject: Re: allowing "map" for password auth methods with clientcert=verify-full

Re: allowing "map" for password auth methods with clientcert=verify-full - Mailing list pgsql-hackers

Previous

Next