Re: Question about cert authentication method.

On Fri, 2022-11-25 at 15:36 +0530, Dhirendra Singh wrote:
> I have a question about cert authentication method. I am using postgres version 14.
>
> Following is the entry i have in the pg_hba file.
> hostssl  all  all  0.0.0.0/0   cert map=mymap
>
> Following is the entry in the pg_ident file.
> mymap  test  readonly
>
> trying to connect to the server using psql. CN in the certificate is "test (S114546)".
> psql "host=localhost user='test (S114546)' dbname=appdb sslmode=verify-full sslcert=certificate.crt sslkey=certificate.key sslrootcert=cacerts"
>
> No mapping exist for "test (S114547)" in the pg_ident file.
>
> The connection failed with following error.
> psql: error: connection to server at "localhost", port 5432 failed: FATAL:  certificate authentication failed for user "test (S114546)"
>
> Error in the server log is...
> 2022-11-25 09:26:52.169 UTC [62] LOG: no match in usermap "mymap" for user "test (S114546)" authenticated as "test (S114546)"
> 2022-11-25 09:26:52.169 UTC [62] FATAL: certificate authentication failed for user "test (S114546)"
> 2022-11-25 09:26:52.169 UTC [62] DETAIL: Connection matched pg_hba.conf line 4: "hostssl all all 0.0.0.0/0 cert map=mymap"
>
> I am expecting the connection to fail because user "test (S114546) does not exist. but i am confused about the error message in the server log.
> It says certificate authentication failed  for user "test (S114546)". but CN in the certificate matches with the user name in psql connection request.
> So certificate authentication should pass. It should fail afterwards.

Well, "test" is different from "test (S114546)", so what do you expect?

You should use a regular expression in "pg_ident.conf", if you want that to match:

mymap /^test readonly

Yours,
Laurenz Albe,