BUG #16935: Unable to provide map= option when combining clientcert=verify-full with some auth mechanisms

The following bug has been logged on the website:

Bug reference: 16935
Logged by: Tilman Koschnick
Email address: til(at)subnetz(dot)org
PostgreSQL version: 13.2
Operating system: GNU/Linux
Description:

Dear PostgreSQL team,

I am not sure if this is actually a bug, or me misreading the documentation.
According to https://www.postgresql.org/docs/current/auth-pg-hba-conf.html,
clientcert= can be combined with any other mechanism, and when set to
"verify-full", enforces matches with "the username or an applicable
mapping". But the map= option is only allowed with some of the auth
mechanisms.

I've tried removing the limitation (see patch below), and can confirm that
with that change in place, I can combine e.g. password authentication with
clientcert=verify-full and map= options. All tests pass on the build.

Kind regards, Til

--- postgresql-13-13.2.orig/src/backend/libpq/hba.c
+++ postgresql-13-13.2/src/backend/libpq/hba.c
@@ -1678,12 +1678,6 @@ parse_hba_auth_opt(char *name, char *val

if (strcmp(name, "map") == 0)
{
- if (hbaline->auth_method != uaIdent &&
- hbaline->auth_method != uaPeer &&
- hbaline->auth_method != uaGSS &&
- hbaline->auth_method != uaSSPI &&
- hbaline->auth_method != uaCert)
- INVALID_AUTH_OPTION("map", gettext_noop("ident,
peer, gssapi, sspi, and cert"));
hbaline->usermap = pstrdup(val);
}
else if (strcmp(name, "clientcert") == 0)