Thread: BUG #16935: Unable to provide map= option when combining clientcert=verify-full with some auth mechanisms
BUG #16935: Unable to provide map= option when combining clientcert=verify-full with some auth mechanisms
From
PG Bug reporting form
Date:
The following bug has been logged on the website: Bug reference: 16935 Logged by: Tilman Koschnick Email address: til@subnetz.org PostgreSQL version: 13.2 Operating system: GNU/Linux Description: Dear PostgreSQL team, I am not sure if this is actually a bug, or me misreading the documentation. According to https://www.postgresql.org/docs/current/auth-pg-hba-conf.html, clientcert= can be combined with any other mechanism, and when set to "verify-full", enforces matches with "the username or an applicable mapping". But the map= option is only allowed with some of the auth mechanisms. I've tried removing the limitation (see patch below), and can confirm that with that change in place, I can combine e.g. password authentication with clientcert=verify-full and map= options. All tests pass on the build. Kind regards, Til --- postgresql-13-13.2.orig/src/backend/libpq/hba.c +++ postgresql-13-13.2/src/backend/libpq/hba.c @@ -1678,12 +1678,6 @@ parse_hba_auth_opt(char *name, char *val if (strcmp(name, "map") == 0) { - if (hbaline->auth_method != uaIdent && - hbaline->auth_method != uaPeer && - hbaline->auth_method != uaGSS && - hbaline->auth_method != uaSSPI && - hbaline->auth_method != uaCert) - INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert")); hbaline->usermap = pstrdup(val); } else if (strcmp(name, "clientcert") == 0)