On Wed, Sep 04, 2019 at 05:24:15PM +0100, George Hafiz wrote: > Hello, > > It is currently only possible to authenticate clients using certificates > with the CN. > > I would like to propose that the field used to identify the client is > configurable, e.g. being able to specify DN as the appropriate field. The > reason being is that in some organisations, where you might want to use the > corporate PKI, but where the CN of such certificates is not controlled. > > In my case, the DN of our corporate issued client certificates is > controlled and derived from AD groups we are members of. Only users in > those groups can request client certificates with a DN that is equal to the > AD group ID. This would make DN a perfectly suitable drop-in replacement > for Postgres client certificate authentication, but as it stands it is not > possible to change the field used.
This all sounds interesting. Do you have a concrete proposal as to how such a new interface would look in operation? Better yet, a PoC patch implementing same? Best, David. -- David Fetter <david(at)fetter(dot)org> http://fetter.org/ Phone: +1 415 235 3778 Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
