Re: Proposal: Save user's original authenticated identity for logging - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: Proposal: Save user's original authenticated identity for logging
Date
Msg-id CABUevEzJg=pme-dEn1ER21nBvGRvw-XCxErQYZQo0ktKvNpbzA@mail.gmail.com
Whole thread Raw
In response to Re: Proposal: Save user's original authenticated identity for logging  (Jacob Champion <pchampion@vmware.com>)
List pgsql-hackers
On Mon, Feb 1, 2021 at 10:36 PM Jacob Champion <pchampion@vmware.com> wrote:
>
> On Sun, 2021-01-31 at 12:27 +0100, Magnus Hagander wrote:
> > > (There's also the fact that I think pg_ident mapping for LDAP would be
> > > just as useful as it is for GSS or certs. That's for a different
> > > conversation.)
> >
> > Specifically for search+bind, I would assume?
>
> Even for the simple bind case, I think it'd be useful to be able to
> perform a pg_ident mapping of
>
>     ldapmap    /.*    ldapuser
>
> so that anyone who is able to authenticate against the LDAP server is
> allowed to assume the ldapuser role. (For this to work, you'd need to
> be able to specify your LDAP username as a connection option, similar
> to how you can specify a client certificate, so that you could set
> PGUSER=ldapuser.)
>
> But again, that's orthogonal to the current discussion.

Right. I guess that's what I mean -- *just* adding support for user
mapping wouldn't be helpful. You'd have to change how the actual
authentication is done. The way that it's done now, mapping makes no
sense.

--
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/



pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: Proposal: Save user's original authenticated identity for logging
Next
From: Bruce Momjian
Date:
Subject: Re: Key management with tests