Hi David,
Glad you are open to the idea!
My proposal would be an additional authentication setting for certauth
(alongside the current map option) which lets you specify which subject
field to match on.
I'll take a look at what the patch would look like, but this is incredibly
tangential to what I'm supposed to be doing, so I can't promise anything!
Would be good if anyone else would like to look at it as well. Hopefully
it's a relatively straightforward change.
Best regards,
George
On Wed, 4 Sep 2019, 21:40 David Fetter, wrote:
> On Wed, Sep 04, 2019 at 05:24:15PM +0100, George Hafiz wrote:
> > Hello,
> >
> > It is currently only possible to authenticate clients using certificates
> > with the CN.
> >
> > I would like to propose that the field used to identify the client is
> > configurable, e.g. being able to specify DN as the appropriate field. The
> > reason being is that in some organisations, where you might want to use
> the
> > corporate PKI, but where the CN of such certificates is not controlled.
> >
> > In my case, the DN of our corporate issued client certificates is
> > controlled and derived from AD groups we are members of. Only users in
> > those groups can request client certificates with a DN that is equal to
> the
> > AD group ID. This would make DN a perfectly suitable drop-in replacement
> > for Postgres client certificate authentication, but as it stands it is
> not
> > possible to change the field used.
>
> This all sounds interesting. Do you have a concrete proposal as to
> how such a new interface would look in operation? Better yet, a PoC
> patch implementing same?
>
> Best,
> David.
> --
> David Fetter http://fetter.org/
> Phone: +1 415 235 3778
>
> Remember to vote!
> Consider donating to Postgres: http://www.postgresql.org/about/donate
>
