Обсуждение: Client Certificate Authentication Using Custom Fields (i.e. otherthan CN)
Hello,
It is currently only possible to authenticate clients using certificates with the CN.
I would like to propose that the field used to identify the client is configurable, e.g. being able to specify DN as the appropriate field. The reason being is that in some organisations, where you might want to use the corporate PKI, but where the CN of such certificates is not controlled.
In my case, the DN of our corporate issued client certificates is controlled and derived from AD groups we are members of. Only users in those groups can request client certificates with a DN that is equal to the AD group ID. This would make DN a perfectly suitable drop-in replacement for Postgres client certificate authentication, but as it stands it is not possible to change the field used.
Best regards,
George
George
On Wed, Sep 04, 2019 at 05:24:15PM +0100, George Hafiz wrote: > Hello, > > It is currently only possible to authenticate clients using certificates > with the CN. > > I would like to propose that the field used to identify the client is > configurable, e.g. being able to specify DN as the appropriate field. The > reason being is that in some organisations, where you might want to use the > corporate PKI, but where the CN of such certificates is not controlled. > > In my case, the DN of our corporate issued client certificates is > controlled and derived from AD groups we are members of. Only users in > those groups can request client certificates with a DN that is equal to the > AD group ID. This would make DN a perfectly suitable drop-in replacement > for Postgres client certificate authentication, but as it stands it is not > possible to change the field used. This all sounds interesting. Do you have a concrete proposal as to how such a new interface would look in operation? Better yet, a PoC patch implementing same? Best, David. -- David Fetter <david(at)fetter(dot)org> http://fetter.org/ Phone: +1 415 235 3778 Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
Hi David,
Glad you are open to the idea!
My proposal would be an additional authentication setting for certauth (alongside the current map option) which lets you specify which subject field to match on.
I'll take a look at what the patch would look like, but this is incredibly tangential to what I'm supposed to be doing, so I can't promise anything! Would be good if anyone else would like to look at it as well. Hopefully it's a relatively straightforward change.
Best regards,
George
On Wed, 4 Sep 2019, 21:40 David Fetter, <david@fetter.org> wrote:
On Wed, Sep 04, 2019 at 05:24:15PM +0100, George Hafiz wrote:
> Hello,
>
> It is currently only possible to authenticate clients using certificates
> with the CN.
>
> I would like to propose that the field used to identify the client is
> configurable, e.g. being able to specify DN as the appropriate field. The
> reason being is that in some organisations, where you might want to use the
> corporate PKI, but where the CN of such certificates is not controlled.
>
> In my case, the DN of our corporate issued client certificates is
> controlled and derived from AD groups we are members of. Only users in
> those groups can request client certificates with a DN that is equal to the
> AD group ID. This would make DN a perfectly suitable drop-in replacement
> for Postgres client certificate authentication, but as it stands it is not
> possible to change the field used.
This all sounds interesting. Do you have a concrete proposal as to
how such a new interface would look in operation? Better yet, a PoC
patch implementing same?
Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate