Q: cert authentication and user remapping fails

Hi all,

I have a problem with psql cert authentication and user mapping.

In my installation, the user certificate CN's contain human-readable names (utf8, with spaces, etc.). I want *all* users connecting with cert authentication to be mapped to a certain database role. The server runs on Debian Stretch, using the package “postgresql-10” ver. “10.11-1.pgdg90+1”.

The configuration in pg_hba.conf is, inter alia

<snip>
hostssl testdb all 172.16.61.0/24 cert map=certaccess
</snip>

The file pg_ident.conf contains the line (which should, as the re matches *everything*, map all users?)

<snip>
certaccess /^.*$ testuser
</snip>

I have a user certificate, issued by the same CA as the server cert, with CN "Albrecht Dreß". Running psql on a remote client fails:

<snip>
albrecht(at)deneb:~$ psql -h dbserver -U "Albrecht Dreß" testdb
psql: FATAL: certificate authentication failed for user "Albrecht Dreß"
FATAL: no pg_hba.conf entry for host "172.16.61.70", user "Albrecht Dreß", database "testdb", SSL off
</snip>

The server log says:

<snip>
Albrecht Dreß(at)testdb LOG: no match in usermap "certaccess" for user "Albrecht Dreß" authenticated as "Albrecht Dreß"
Albrecht Dreß(at)testdb FATAL: certificate authentication failed for user "Albrecht Dreß"
Albrecht Dreß(at)testdb DETAIL: Connection matched pg_hba.conf line 136: " hostssl testdb all 172.16.61.0/24 cert map=certaccess"
Albrecht Dreß(at)testdb FATAL: no pg_hba.conf entry for host "172.16.61.70", user "Albrecht Dreß", database "testdb", SSL off
</snip>

For me, this looks as if the certificate is accepted, but the regexp match of the CN somehow fails.

Note 1: I don't have a role “Albrecht Dreß” defined.
Note 2: using my “real” user name (albrecht), i.e. omitting the “-U” option above, fails with the server log message “provided user name (albrecht) and authenticated user name (Albrecht Dreß) do not match”.

Any idea what I did wrong, and how I can a working cert authentication?

Thanks in advance,
Albrecht.