> > In postgresql the client and server can specify what certificates 
> > thay'll accept, there are no default trusted CAs. You can 
> require the 
> > client to have a certain certificate, for example. The 
> client can also 
> > verify the server has the expected certificate. How much 
> it's used I 
> > don't know, but SSL does support it.
> 
> I don't think you can tie the SSL certificate to a specific 
> user though...  I certainly can't recall any way to do that 
> today in PG.

You can't. It's been talked about, but never done.


> > > I guess this discussion makes it sound like I've 
> convinced myself to  
> > > use SASL.  I still need to resolve how to do name translation.   
> > > PostgreSQL wants a single unix-like name, and I haven't looked at 
> > > how to properly do that translation from SASL (or GSSAPI) names.
> > 
> > Usually a field in the certificate is the username 
> postgresql wants, 
> > which can be mapped via a table. For SASL I don't know.
> 
> I expect we'll need a mapping of some sort, or perhaps a 
> sasl_regexp or similar to what is done in OpenLDAP.  I don't 
> recall PG supporting using the DN from a client cert in an 
> SSL connection as a PG username but perhaps I missed it somewhere...

You can't today.
If we want to add username mapping in SASL or whatever, it might be a
good idea to look at generalizing the authuser-to-dbuser mapping stuff
(like we have for identmap now) into something that can be used for all
external auth methods. Instead of inventing one for every method.

//Magnus

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
       subscribe-nomail command to [EMAIL PROTECTED] so that your
       message can get through to the mailing list cleanly

Reply via email to