Drew Zoellner <drewtzoellner@xxxxxxxxx> writes: > So the same user is able to connect using a non replication connection > using the same mtls certificate and pg_ident.conf map. So it seems like the > cert & map are working for this user. Hmph. I tried to reproduce your problem, and it works for me: I can create a replication connection that's authenticated by certificate and relies on a username map to map from the CN in the client certificate to the database username that's mentioned in the "hostssl replication" entry. All I can suggest at this point is to go over your configuration with a fine-tooth comb, looking for probably-silly mistakes such as inconsistent spellings. One thing I can think of to mention in particular is to be sure that the standby's primary_conninfo explicitly includes "user=pgrepmgr_nonprod", as that's likely not the user name it'd default to. Another idea could be to enable log_connections on the primary, and see if the incoming connection request looks different than you were expecting. regards, tom lane
