On 3/29/21 3:50 PM, Andrew Dunstan wrote: > Allow matching the DN of a client certificate for authentication > > Currently we only recognize the Common Name (CN) of a certificate's > subject to be matched against the user name. Thus certificates with > subjects '/OU=eng/CN=fred' and '/OU=sales/CN=fred' will have the same > connection rights. This patch provides an option to match the whole > Distinguished Name (DN) instead of just the CN. On any hba line using > client certificate identity, there is an option 'clientname' which can > have values of 'DN' or 'CN'. The default is 'CN', the current procedure. > > The DN is matched against the RFC2253 formatted DN, which looks like > 'CN=fred,OU=eng'. > > This facility of probably best used in conjunction with an ident map. > > Discussion: > https://postgr.es/m/92e70110-9273-d93c-5913-0bccb6562...@dunslane.net > > Reviewed-By: Michael Paquier, Daniel Gustafsson, Jacob Champion
Belated credit where it's due: this work was originally based on a patch from Kosmas Valianos of AppGate. cheers andrew
