My proposal would be an additional authentication setting for certauth (alongside the current map option) which lets you specify which subject field to match on.
I'll take a look at what the patch would look like, but this is incredibly tangential to what I'm supposed to be doing, so I can't promise anything! Would be good if anyone else would like to look at it as well. Hopefully it's a relatively straightforward change.
Best regards,
George
On Wed, 4 Sep 2019, 21:40 David Fetter, <david@fetter.org> wrote:
On Wed, Sep 04, 2019 at 05:24:15PM +0100, George Hafiz wrote: > Hello, > > It is currently only possible to authenticate clients using certificates > with the CN. > > I would like to propose that the field used to identify the client is > configurable, e.g. being able to specify DN as the appropriate field. The > reason being is that in some organisations, where you might want to use the > corporate PKI, but where the CN of such certificates is not controlled. > > In my case, the DN of our corporate issued client certificates is > controlled and derived from AD groups we are members of. Only users in > those groups can request client certificates with a DN that is equal to the > AD group ID. This would make DN a perfectly suitable drop-in replacement > for Postgres client certificate authentication, but as it stands it is not > possible to change the field used.
This all sounds interesting. Do you have a concrete proposal as to how such a new interface would look in operation? Better yet, a PoC patch implementing same?