On Fri, 2022-11-25 at 15:36 +0530, Dhirendra Singh wrote:
> I have a question about cert authentication method. I am using postgres version 14.
>
> Following is the entry i have in the pg_hba file.
> hostssl all all 0.0.0.0/0 cert map=mymap
>
> Following is the entry in the pg_ident file.
> mymap test readonly
>
> trying to connect to the server using psql. CN in the certificate is "test (S114546)".
> psql "host=localhost user='test (S114546)' dbname=appdb sslmode=verify-full sslcert=certificate.crt
sslkey=certificate.keysslrootcert=cacerts"
>
> No mapping exist for "test (S114547)" in the pg_ident file.
>
> The connection failed with following error.
> psql: error: connection to server at "localhost", port 5432 failed: FATAL: certificate authentication failed for
user"test (S114546)"
>
> Error in the server log is...
> 2022-11-25 09:26:52.169 UTC [62] LOG: no match in usermap "mymap" for user "test (S114546)" authenticated as "test
(S114546)"
> 2022-11-25 09:26:52.169 UTC [62] FATAL: certificate authentication failed for user "test (S114546)"
> 2022-11-25 09:26:52.169 UTC [62] DETAIL: Connection matched pg_hba.conf line 4: "hostssl all all 0.0.0.0/0 cert
map=mymap"
>
> I am expecting the connection to fail because user "test (S114546) does not exist. but i am confused about the error
messagein the server log.
> It says certificate authentication failed for user "test (S114546)". but CN in the certificate matches with the user
namein psql connection request.
> So certificate authentication should pass. It should fail afterwards.
Well, "test" is different from "test (S114546)", so what do you expect?
You should use a regular expression in "pg_ident.conf", if you want that to match:
mymap /^test readonly
Yours,
Laurenz Albe,