On Mon, Feb 1, 2021 at 10:36 PM Jacob Champion <pchamp...@vmware.com> wrote: > > On Sun, 2021-01-31 at 12:27 +0100, Magnus Hagander wrote: > > > (There's also the fact that I think pg_ident mapping for LDAP would be > > > just as useful as it is for GSS or certs. That's for a different > > > conversation.) > > > > Specifically for search+bind, I would assume? > > Even for the simple bind case, I think it'd be useful to be able to > perform a pg_ident mapping of > > ldapmap /.* ldapuser > > so that anyone who is able to authenticate against the LDAP server is > allowed to assume the ldapuser role. (For this to work, you'd need to > be able to specify your LDAP username as a connection option, similar > to how you can specify a client certificate, so that you could set > PGUSER=ldapuser.) > > But again, that's orthogonal to the current discussion.
Right. I guess that's what I mean -- *just* adding support for user mapping wouldn't be helpful. You'd have to change how the actual authentication is done. The way that it's done now, mapping makes no sense. -- Magnus Hagander Me: https://www.hagander.net/ Work: https://www.redpill-linpro.com/
