Thread: Question on implementing ident auth correctly.
I am having an issue wrapping my head around ident auth. In particular I always run afoul of the first match wins aspect of the pg_hba.conf. To help clarify I am using postgres 8.4 with the new ident syntax where "sameuser" is now implied.
What I would like to do is to use "ident" auth for local connections such that all users can log in as themselves based on their OS authenticated username, but I would further like to allow for named admin users to log in as the privileged account. In the following example there is only 1 user defined in postgres - the "postgres" account. "rob" does not exist in postgres. I was hoping to be able to do this -
pg_hba.conf:
local all all ident
local all all ident map=systems
pg_ident.conf:
systems rob postgres
My wishful thinking interpretation of this would be that the postgres user can log in as postgres AND that rob can log in as postgres. The actual behavior is that rob fails the ident check but postgres is fine. Flipping the pg_hba.conf line order, rob can now log in as postgres, but postgres cannot log in as itself. The only way I found to make this work is to do the following -
pg_hba.conf:
local all all ident map=systems
pg_ident.conf:
systems /^(.*)$ \1
systems rob postgres
This basically uses the ident "systems" map, but there is a regex to replicate the "sameuser" concept. This feels wrong and I figured that I would ask rather than just go with what works.
Does anyone have any comment? I don't need a fix as this does work, so I have no interest in "trust" or anything else, but wanted to know what people think.
What I would like to do is to use "ident" auth for local connections such that all users can log in as themselves based on their OS authenticated username, but I would further like to allow for named admin users to log in as the privileged account. In the following example there is only 1 user defined in postgres - the "postgres" account. "rob" does not exist in postgres. I was hoping to be able to do this -
pg_hba.conf:
local all all ident
local all all ident map=systems
pg_ident.conf:
systems rob postgres
My wishful thinking interpretation of this would be that the postgres user can log in as postgres AND that rob can log in as postgres. The actual behavior is that rob fails the ident check but postgres is fine. Flipping the pg_hba.conf line order, rob can now log in as postgres, but postgres cannot log in as itself. The only way I found to make this work is to do the following -
pg_hba.conf:
local all all ident map=systems
pg_ident.conf:
systems /^(.*)$ \1
systems rob postgres
This basically uses the ident "systems" map, but there is a regex to replicate the "sameuser" concept. This feels wrong and I figured that I would ask rather than just go with what works.
Does anyone have any comment? I don't need a fix as this does work, so I have no interest in "trust" or anything else, but wanted to know what people think.