Question on implementing ident auth correctly. - Mailing list pgsql-admin

From Rob Cherry
Subject Question on implementing ident auth correctly.
Date
Msg-id CAMRU3r2aEewTry842xxoRVFgfCT1XneqA2JHzq4kbah0xKmE0g@mail.gmail.com
Whole thread Raw
List pgsql-admin
I am having an issue wrapping my head around ident auth.  In particular I always run afoul of the first match wins aspect of the pg_hba.conf.  To help clarify I am using postgres 8.4 with the new ident syntax where "sameuser" is now implied.

What I would like to do is to use "ident" auth for local connections such that all users can log in as themselves based on their OS authenticated username, but I would further like to allow for named admin users to log in as the privileged account.  In the following example there is only 1 user defined in postgres - the "postgres" account.  "rob" does not exist in postgres.  I was hoping to be able to do this -

pg_hba.conf:
local   all         all                               ident
local   all         all                               ident map=systems

pg_ident.conf:
systems       rob            postgres

My wishful thinking interpretation of this would be that the postgres user can log in as postgres AND that rob can log in as postgres.  The actual behavior is that rob fails the ident check but postgres is fine.  Flipping the pg_hba.conf line order, rob can now log in as postgres, but postgres cannot log in as itself.  The only way I found to make this work is to do the following -

pg_hba.conf:
local   all         all                               ident map=systems

pg_ident.conf:
systems       /^(.*)$            \1
systems       rob               postgres

This basically uses the ident "systems" map, but there is a regex to replicate the "sameuser" concept.  This feels wrong and I figured that I would ask rather than just go with what works.

Does anyone have any comment?  I don't need a fix as this does work, so I have no interest in "trust" or anything else, but wanted to know what people think.

pgsql-admin by date:

Previous
From: David Schnur
Date:
Subject: Re: How and when are encoding DLLs used on Windows?
Next
From: PresleyDias
Date:
Subject: Postgres database creation using batch files