Client Certificate Authentication Using Custom Fields (i.e. other than CN)
Hello,
It is currently only possible to authenticate clients using certificates
with the CN.
I would like to propose that the field used to identify the client is
configurable, e.g. being able to specify DN as the appropriate field. The
reason being is that in some organisations, where you might want to use the
corporate PKI, but where the CN of such certificates is not controlled.
In my case, the DN of our corporate issued client certificates is
controlled and derived from AD groups we are members of. Only users in
those groups can request client certificates with a DN that is equal to the
AD group ID. This would make DN a perfectly suitable drop-in replacement
for Postgres client certificate authentication, but as it stands it is not
possible to change the field used.
Best regards,
George
On Wed, Sep 04, 2019 at 05:24:15PM +0100, George Hafiz wrote:
Hello,
It is currently only possible to authenticate clients using certificates
with the CN.I would like to propose that the field used to identify the client is
configurable, e.g. being able to specify DN as the appropriate field. The
reason being is that in some organisations, where you might want to use the
corporate PKI, but where the CN of such certificates is not controlled.In my case, the DN of our corporate issued client certificates is
controlled and derived from AD groups we are members of. Only users in
those groups can request client certificates with a DN that is equal to the
AD group ID. This would make DN a perfectly suitable drop-in replacement
for Postgres client certificate authentication, but as it stands it is not
possible to change the field used.
This all sounds interesting. Do you have a concrete proposal as to
how such a new interface would look in operation? Better yet, a PoC
patch implementing same?
Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
Hi David,
Glad you are open to the idea!
My proposal would be an additional authentication setting for certauth
(alongside the current map option) which lets you specify which subject
field to match on.
I'll take a look at what the patch would look like, but this is incredibly
tangential to what I'm supposed to be doing, so I can't promise anything!
Would be good if anyone else would like to look at it as well. Hopefully
it's a relatively straightforward change.
Best regards,
George
On Wed, 4 Sep 2019, 21:40 David Fetter, <david@fetter.org> wrote:
Show quoted text
On Wed, Sep 04, 2019 at 05:24:15PM +0100, George Hafiz wrote:
Hello,
It is currently only possible to authenticate clients using certificates
with the CN.I would like to propose that the field used to identify the client is
configurable, e.g. being able to specify DN as the appropriate field. The
reason being is that in some organisations, where you might want to usethe
corporate PKI, but where the CN of such certificates is not controlled.
In my case, the DN of our corporate issued client certificates is
controlled and derived from AD groups we are members of. Only users in
those groups can request client certificates with a DN that is equal tothe
AD group ID. This would make DN a perfectly suitable drop-in replacement
for Postgres client certificate authentication, but as it stands it isnot
possible to change the field used.
This all sounds interesting. Do you have a concrete proposal as to
how such a new interface would look in operation? Better yet, a PoC
patch implementing same?Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate