Re: Proposal: Save user's original authenticated identity for logging
Magnus Hagander <magnus@hagander.net>
From: Magnus Hagander <magnus@hagander.net>
To: Jacob Champion <pchampion@vmware.com>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>,
"sfrost@snowman.net" <sfrost@snowman.net>
Date: 2021-02-01T22:15:44Z
Lists: pgsql-hackers
On Mon, Feb 1, 2021 at 10:36 PM Jacob Champion <pchampion@vmware.com> wrote: > > On Sun, 2021-01-31 at 12:27 +0100, Magnus Hagander wrote: > > > (There's also the fact that I think pg_ident mapping for LDAP would be > > > just as useful as it is for GSS or certs. That's for a different > > > conversation.) > > > > Specifically for search+bind, I would assume? > > Even for the simple bind case, I think it'd be useful to be able to > perform a pg_ident mapping of > > ldapmap /.* ldapuser > > so that anyone who is able to authenticate against the LDAP server is > allowed to assume the ldapuser role. (For this to work, you'd need to > be able to specify your LDAP username as a connection option, similar > to how you can specify a client certificate, so that you could set > PGUSER=ldapuser.) > > But again, that's orthogonal to the current discussion. Right. I guess that's what I mean -- *just* adding support for user mapping wouldn't be helpful. You'd have to change how the actual authentication is done. The way that it's done now, mapping makes no sense. -- Magnus Hagander Me: https://www.hagander.net/ Work: https://www.redpill-linpro.com/
Commits
-
Add missing $Test::Builder::Level settings
- 73aa5e0cafd0 15.0 landed
- e536a2683439 14.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 landed
-
Fix some issues with SSL and Kerberos tests
- 5a71964a832f 14.0 landed
-
Refactor all TAP test suites doing connection checks
- c50624cdd248 14.0 landed