The following bug has been logged on the website:
Bug reference: 16935
Logged by: Tilman Koschnick
Email address: til@subnetz.org
PostgreSQL version: 13.2
Operating system: GNU/Linux
Description:
Dear PostgreSQL team,
I am not sure if this is actually a bug, or me misreading the documentation.
According to https://www.postgresql.org/docs/current/auth-pg-hba-conf.html,
clientcert= can be combined with any other mechanism, and when set to
"verify-full", enforces matches with "the username or an applicable
mapping". But the map= option is only allowed with some of the auth
mechanisms.
I've tried removing the limitation (see patch below), and can confirm that
with that change in place, I can combine e.g. password authentication with
clientcert=verify-full and map= options. All tests pass on the build.
Kind regards, Til
--- postgresql-13-13.2.orig/src/backend/libpq/hba.c
+++ postgresql-13-13.2/src/backend/libpq/hba.c
@@ -1678,12 +1678,6 @@ parse_hba_auth_opt(char *name, char *val
if (strcmp(name, "map") == 0)
{
- if (hbaline->auth_method != uaIdent &&
- hbaline->auth_method != uaPeer &&
- hbaline->auth_method != uaGSS &&
- hbaline->auth_method != uaSSPI &&
- hbaline->auth_method != uaCert)
- INVALID_AUTH_OPTION("map", gettext_noop("ident,
peer, gssapi, sspi, and cert"));
hbaline->usermap = pstrdup(val);
}
else if (strcmp(name, "clientcert") == 0)
