On Wed, Sep 04, 2019 at 05:24:15PM +0100, George Hafiz wrote:
> Hello,
>
> It is currently only possible to authenticate clients using certificates
> with the CN.
>
> I would like to propose that the field used to identify the client is
> configurable, e.g. being able to specify DN as the appropriate field. The
> reason being is that in some organisations, where you might want to use the
> corporate PKI, but where the CN of such certificates is not controlled.
>
> In my case, the DN of our corporate issued client certificates is
> controlled and derived from AD groups we are members of. Only users in
> those groups can request client certificates with a DN that is equal to the
> AD group ID. This would make DN a perfectly suitable drop-in replacement
> for Postgres client certificate authentication, but as it stands it is not
> possible to change the field used.
This all sounds interesting. Do you have a concrete proposal as to
how such a new interface would look in operation? Better yet, a PoC
patch implementing same?
Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate