On Thu, Oct 15, 2020 at 11:31 AM Stephen Frost <sfrost@snowman.net> wrote:
> Please don't top-post on these lists..
Didn't even know what that was, had to look it up. Hopefully it is
resolved. Gmail does too many things for you!
> While not exactly the same, of course, they are more-or-less equivilant
> to Unix groups (it's even possible using NSS to get Unix groups to be
> backed by Windows groups) and so calling it 'system-group' does seem
> like it'd make sense, rather than calling it "Windows groups" or
> similar.
>
> One unfortunate thing regarding this is that, unless things have
> changed, this won't end up working with GSS (unless we add the unix
> group support and that's then backed by AD as I described above) since
> the ability to check group membership using SSPI is an extension to the
> Kerberos protocol, which never included group membership information in
> it, and therefore while this would work for Windows clients connecting
> to Windows servers, it won't work for Windows clients connecting to Unix
> servers with GSSAPI authentication.
>
> The direction I had been thinking of addressing that was to add an
> option to pg_hba.conf's 'gss' auth method which would allow reaching out
> to check group membership against an AD server. In a similar vein, we
> could add an option to the 'sspi' auth method to check the group
> membership, rather than having this done in pg_ident.conf, which is
> really intended to allow mapping between system usernames and PG
> usernames which are different, not really for controlling authentication
> based on group membership when the username is the same.
>
> Russell, thoughts on that..?
So are you saying something like this where its an option to the sspi method?
# TYPE DATABASE USER ADDRESS MASK METHOD
hostssl all some_user 0.0.0.0 0.0.0.0 sspi group="Windows Group"
I guess the code wouldn't change much, unless you mean for it to do a
more generic ldap query. Seems OK to me, but I guess the hba could
become more verbose. The map is nice as it allows your HBA to be very
precise in how your connections and database users are represented,
and the ident map file is there to group those external identities. I
can't say I have a strong opinion either way though.