Question on implementing ident auth correctly.

I am having an issue wrapping my head around ident auth. In particular I
always run afoul of the first match wins aspect of the pg_hba.conf. To
help clarify I am using postgres 8.4 with the new ident syntax where
"sameuser" is now implied.

What I would like to do is to use "ident" auth for local connections such
that all users can log in as themselves based on their OS authenticated
username, but I would further like to allow for named admin users to log in
as the privileged account. In the following example there is only 1 user
defined in postgres - the "postgres" account. "rob" does not exist in
postgres. I was hoping to be able to do this -

*pg_hba.conf:*
local all all ident
local all all ident map=systems

*pg_ident.conf:*
systems rob postgres

My wishful thinking interpretation of this would be that the postgres user
can log in as postgres AND that rob can log in as postgres. The actual
behavior is that rob fails the ident check but postgres is fine. Flipping
the pg_hba.conf line order, rob can now log in as postgres, but postgres
cannot log in as itself. The only way I found to make this work is to do
the following -

*pg_hba.conf:*
local all all ident map=systems

*pg_ident.conf:*
systems /^(.*)$ \1
systems rob postgres

This basically uses the ident "systems" map, but there is a regex to
replicate the "sameuser" concept. This feels wrong and I figured that I
would ask rather than just go with what works.

Does anyone have any comment? I don't need a fix as this does work, so I
have no interest in "trust" or anything else, but wanted to know what
people think.