1

We would like to have clients connect to our MariaDB server, using client certificates from a trusted (internal) issuer and then log which user connected.

Unfortunately, the following limitations are preventing success:

  • It's possible to trust everyone from the same issuer, but then they all have to be mapped to the same MariaDB user.
  • It's possible to audit log user connections, but the logs only show the actual MariaDB user, not the subject of the certificate the client is using.
  • It's not possible to dynamically create actual MariaDB users based on the client certificate.

Is there a solution to our dilemma, other than pre-populating a MariaDB user for each possible client certificate?

womble
  • 96,255
  • 29
  • 175
  • 230
David Timothy Strauss
  • 326
  • 2
  • 6
  • The client certificate gets validated by the web server. So the question is, which webserver you are using. The Apache in fact can log the client certificate that was used to authenticate. Do you want to use the same mariadb user or do you want to avoid it? – cornelinux Sep 07 '14 at 10:43
  • @cornelinux, this is a question about MariaDB server. There is no web server. SSL/TLS is not just for HTTP. – David Timothy Strauss Sep 15 '14 at 09:07

1 Answers1

0

Yep, you're doomed to creating a MariaDB user for each user you wish to connect to the server, with a REQUIRE SUBJECT '/CN=foo/emailAddress=foo@example.com/'. It's a hideous, error-prone syntax. MySQL's user management is fairly pants in a great many ways.

womble
  • 96,255
  • 29
  • 175
  • 230