0

we are facing an issue with enabling cert based authentication between client and pgbouncer 1.17.0.
Pgbouncer 1.17.0 and postgresql 14 are on the same host in different containers. There is TLS enabled between client and pgbouncer. The issue is that we want client to connect to pgbouncer with client key and certificate, the certificate will have a Common Name (lets say "abc") which wont be same as the user "joe" which is trying to login to pgbouncer, so here we want a mapping of the user "joe" to "abc". If we try to login as joe , Immediately we get error because pgbouncer will check the user ("joe") and Common Name ("abc") in cert and they doesn't match. What is the right way of solving this issue? otherwise how can different users login to pgBouncer?

On postgreSQL, this mapping can be done using pg_ident.conf but that support is not available in pgBouncer. What is the most secured way of achieving this authentication?

Aaak
  • 1
  • 1
  • It is not supported. Either don't use the client certs, don't use pgbouncer, or use certs with the correct name. We have no way of knowing which of those is best for you. – jjanes Oct 14 '22 at 14:08
  • Okay. is the support for handling multiple client certificate available in pgbouncer? – Aaak Oct 14 '22 at 15:00
  • You can use multiple client certs to connect from the client to pgbouncer, but it won't proxy those cert usages (key usages, really) through to the server. So you can't use individualized client certs all the way through. Or at least, not without pgbouncer having its own copy of each client cert and key. – jjanes Oct 14 '22 at 16:31

0 Answers0