Allow matching the DN of a client certificate for authentication
Currently we only recognize the Common Name (CN) of a certificate's
subject to be matched against the user name. Thus certificates with
subjects '/OU=eng/CN=fred' and '/OU=sales/CN=fred' will have the same
connection rights. This patch provides an option to match the whole
Distinguished Name (DN) instead of just the CN. On any hba line using
client certificate identity, there is an option 'clientname' which can
have values of 'DN' or 'CN'. The default is 'CN', the current procedure.
The DN is matched against the RFC2253 formatted DN, which looks like
'CN=fred,OU=eng'.
This facility of probably best used in conjunction with an ident map.
Discussion: https://postgr.es/m/92e70110-9273-d93c-5913-0bccb6562740@dunslane.net
Reviewed-By: Michael Paquier, Daniel Gustafsson, Jacob Champion
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/6d7a6feac48b1970c4cd127ee65d4c487acbb5e9
Modified Files
--------------
doc/src/sgml/client-auth.sgml | 24 +++++++++++++-
src/backend/libpq/auth.c | 34 +++++++++++++++----
src/backend/libpq/be-secure-openssl.c | 61 ++++++++++++++++++++++++++++++++---
src/backend/libpq/be-secure.c | 5 +--
src/backend/libpq/hba.c | 31 ++++++++++++++++++
src/include/libpq/hba.h | 7 ++++
src/include/libpq/libpq-be.h | 1 +
src/test/ssl/Makefile | 9 +++++-
src/test/ssl/client-dn.config | 16 +++++++++
src/test/ssl/ssl/client-dn.crt | 19 +++++++++++
src/test/ssl/ssl/client-dn.key | 27 ++++++++++++++++
src/test/ssl/t/001_ssltests.pl | 34 +++++++++++++++++--
src/test/ssl/t/SSLServer.pm | 16 +++++++++
13 files changed, 266 insertions(+), 18 deletions(-)