On Fri, 2022-11-25 at 15:36 +0530, Dhirendra Singh wrote: > I have a question about cert authentication method. I am using postgres version 14. > > Following is the entry i have in the pg_hba file. > hostssl all all 0.0.0.0/0 cert map=mymap > > Following is the entry in the pg_ident file. > mymap test readonly > > trying to connect to the server using psql. CN in the certificate is "test (S114546)". > psql "host=localhost user='test (S114546)' dbname=appdb sslmode=verify-full sslcert=certificate.crt sslkey=certificate.key sslrootcert=cacerts" > > No mapping exist for "test (S114547)" in the pg_ident file. > > The connection failed with following error. > psql: error: connection to server at "localhost", port 5432 failed: FATAL: certificate authentication failed for user "test (S114546)" > > Error in the server log is... > 2022-11-25 09:26:52.169 UTC [62] LOG: no match in usermap "mymap" for user "test (S114546)" authenticated as "test (S114546)" > 2022-11-25 09:26:52.169 UTC [62] FATAL: certificate authentication failed for user "test (S114546)" > 2022-11-25 09:26:52.169 UTC [62] DETAIL: Connection matched pg_hba.conf line 4: "hostssl all all 0.0.0.0/0 cert map=mymap" > > I am expecting the connection to fail because user "test (S114546) does not exist. but i am confused about the error message in the server log. > It says certificate authentication failed for user "test (S114546)". but CN in the certificate matches with the user name in psql connection request. > So certificate authentication should pass. It should fail afterwards. Well, "test" is different from "test (S114546)", so what do you expect? You should use a regular expression in "pg_ident.conf", if you want that to match: mymap /^test readonly Yours, Laurenz Albe,
