pg_hba.conf "sameuser"

Everyone,

I'm still trying to get a handle on all of the possible authentication
methods and what combinations will work best for what I need, and what
combinations will work in general. I am having difficulty getting the
"sameuser" parameter to do anything under DBNAME.

<snip from pg_hba.conf>
# Format:
#
# host DBNAME IP_ADDRESS ADDRESS_MASK AUTHTYPE [AUTH_ARGUMENT]
#
# DBNAME is the name of a PostgreSQL database, or "all" to indicate all
# databases, or "sameuser" to restrict a user's access to a database with
# the same name as the user.
</end snip>

Now, that snippet of instructions doesn't indicate that there are any
restrictions for which AUTHTYPE "sameuser" can be used with. For my
testing I set this line for a host (with the correct IP in place of xxx
of course),

host sameuser xxx.xxx.xxx.xxx 255.255.255.255 password

which I assumed from the description would restrict access to the
database named the same as the user being authenticated. This does not
seem to work as expected,

$ psql -h mydbhost -p 5433 myuser
Password:
Welcome to psql, the PostgreSQL interactive terminal.

This connects me to the database called "myuser" correctly as the user
"myuser".

$ psql -h mydbhost -p 5433 -U otheruser myuser
Password:
Welcome to psql, the PostgreSQL interactive terminal.

This, however, also connects me to the database called "myuser" but as
the user "otheruser" which doesn't seem to make sense.

The only actual references I have seen in examples for "sameuser" use it
in conjunction with an AUTHTYPE of ident. Such as,

host sameuser (IP) (MASK) ident (which doesn't seem to work as
ident always fails?)

or

host myuser (IP) (MASK) ident sameuser (which doesn't seem to
restrict a user to their own DB either)

What I am trying to clear up is if "sameuser" is actually a valid DBNAME
or if it is only a valid an AUTH_ARGUMENT. Also, is "sameuser" only ever
valid when used in conjunction with an AUTHTYPE of ident. All of my
testing was done on a snapshot of 7.1 taken sometime in early March.

Maybe I am not properly understanding the meaning of "to restrict a
user's access to a database with the same name as the user." as it is
stated in the docs, but I just can't seem to get that feature to work for
me. This is just bugging me for the sake of bugging me.

Thanks to anyone who can help me clear my head, it has been one of those
weeks. If you could email me directly as well as posting to the list I
would appreciate it as well.

Tim Frank