Home > mailing lists

Client Certificate Authentication Using Custom Fields (i.e. otherthan CN) - Mailing list pgsql-hackers

From	George Hafiz
Subject	Client Certificate Authentication Using Custom Fields (i.e. otherthan CN)
Date	September 4, 2019 19:24:15
Msg-id	CAM08e9bY1q2a6O595YrYF1Cz+kWBYkYF7Vw-_bz7q0pUsWyU5A@mail.gmail.com Whole thread Raw
Responses	Re: Client Certificate Authentication Using Custom Fields (i.e.other than CN)
List	pgsql-hackers

Tree view

Hello,

It is currently only possible to authenticate clients using certificates with the CN.

I would like to propose that the field used to identify the client is configurable, e.g. being able to specify DN as the appropriate field. The reason being is that in some organisations, where you might want to use the corporate PKI, but where the CN of such certificates is not controlled.

In my case, the DN of our corporate issued client certificates is controlled and derived from AD groups we are members of. Only users in those groups can request client certificates with a DN that is equal to the AD group ID. This would make DN a perfectly suitable drop-in replacement for Postgres client certificate authentication, but as it stands it is not possible to change the field used.

Best regards,
George

pgsql-hackers by date:

From: Sergei Kornilov
Date: 04 September 2019, 19:19:47
Subject: Re: Planning counters in pg_stat_statements (using pgss_store)

From: Tomas Vondra
Date: 04 September 2019, 22:17:10
Subject: Re: [PATCH] Incremental sort (was: PoC: Partial sort)

Client Certificate Authentication Using Custom Fields (i.e. otherthan CN) - Mailing list pgsql-hackers

Previous

Next