Hi Magnus, > On 07. Jan, 2021, at 12:43, Magnus Hagander <magnus@xxxxxxxxxxxx> wrote: > > The docs say "When using an external authentication system such as > Ident or GSSAPI, the name of the operating system user that initiated > the connection might not be the same as the database user (role) that > is to be used." > > I think that's a bit of a left-over to when it was really just ident. > First of all it should probably say peer rather than ident, and it's > not actually operating systems that are relevant here. > > So I can understand you getting ab it confused by that. but the > property that matter is where the username comes from. In GSSAPI, or > peer, or certificate, etc, the username is provided by the external > system, and the mapping is applied *after* that. > > With LDAP authentication, the username is provided by the client, and > is then passed to the external system. > > Mapping applies *after* the authentication, which inthe case of LDAP > would be too late to make any difference. > > The references to "unix user" and "operating system users" are > probably a leftover from the old days and actually contribute to some > of the confusion I think. that explains it. The use case in our company is: Developers connect with tools like DbVisualizer or SQL Developer (Oracle using the nasty PostgreSQL Hack :-( ) providing their username via JDBC to the database. Developers work on Windows, the databases run on Linux (SLES) and the AD obviously runs on Windows. Ok, since LDAP doesn't work that way, I either need to build GSSAPI packages and have the AD admins to provide me with the keytab file or make the transition a "hard" one, i.e. no transition phase. Though I'd rather have liked to see a transition phase where either account could have been used I personally can live with that. It's the developers who will have to change quickly, not me. ;-) Cheers, Paul