Re: [PATCH] user mapping extension to pg_ident.conf

On Tue, Jul 21, 2009 at 15:58, Tom Lane<tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> That said, if there is a username specified it should not be ignored.
>> But if there is none specified, it should work. This works "reasonably
>> well" today, in that we pick the username up from the environment. But
>> I can see cases where it would be a lot more useful to have it instead
>> pick up the username from the authentication system, since they may
>> differ.
>
> Are you not describing a behavior that you yourself removed in 8.4,
> ie the libpq code that looked aside at Kerberos for a username?

Yes, partially I am :-)

But it was not documented, and done in a fairly hackish way. If we
want it, it should work the same for *all* external authentication
methods (where it would be possible).

Doing it on the client presents a certain challenge when it comes to
certificates for example - or really in any case where you need to map
the username to something else. It would be quite convenient to have
that ability controlled from the server side. We'd have to have some
way to communicate down that the username specified was the default
one and not a user-specified one (or we're back at overriding), but if
the actual mapping could be controlled server-side it would be a lot
more convenient.

--
Magnus Hagander
Self: http://www.hagander.net/
Work: http://www.redpill-linpro.com/