From: | Albrecht Dreß <albrecht(dot)dress(at)arcor(dot)de> |
---|---|
To: | pgsql-general(at)lists(dot)postgresql(dot)org |
Subject: | Q: cert authentication and user remapping fails |
Date: | 2019-12-06 17:22:18 |
Message-ID: | NV7V2E3B.DNJBSI3A.SXG5UOID@C6UM6KSS.I47KT6BN.VTVKOWVO |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hi all,
I have a problem with psql cert authentication and user mapping.
In my installation, the user certificate CN's contain human-readable names (utf8, with spaces, etc.). I want *all* users connecting with cert authentication to be mapped to a certain database role. The server runs on Debian Stretch, using the package “postgresql-10” ver. “10.11-1.pgdg90+1”.
The configuration in pg_hba.conf is, inter alia
<snip>
hostssl testdb all 172.16.61.0/24 cert map=certaccess
</snip>
The file pg_ident.conf contains the line (which should, as the re matches *everything*, map all users?)
<snip>
certaccess /^.*$ testuser
</snip>
I have a user certificate, issued by the same CA as the server cert, with CN "Albrecht Dreß". Running psql on a remote client fails:
<snip>
albrecht(at)deneb:~$ psql -h dbserver -U "Albrecht Dreß" testdb
psql: FATAL: certificate authentication failed for user "Albrecht Dreß"
FATAL: no pg_hba.conf entry for host "172.16.61.70", user "Albrecht Dreß", database "testdb", SSL off
</snip>
The server log says:
<snip>
Albrecht Dreß(at)testdb LOG: no match in usermap "certaccess" for user "Albrecht Dreß" authenticated as "Albrecht Dreß"
Albrecht Dreß(at)testdb FATAL: certificate authentication failed for user "Albrecht Dreß"
Albrecht Dreß(at)testdb DETAIL: Connection matched pg_hba.conf line 136: " hostssl testdb all 172.16.61.0/24 cert map=certaccess"
Albrecht Dreß(at)testdb FATAL: no pg_hba.conf entry for host "172.16.61.70", user "Albrecht Dreß", database "testdb", SSL off
</snip>
For me, this looks as if the certificate is accepted, but the regexp match of the CN somehow fails.
Note 1: I don't have a role “Albrecht Dreß” defined.
Note 2: using my “real” user name (albrecht), i.e. omitting the “-U” option above, fails with the server log message “provided user name (albrecht) and authenticated user name (Albrecht Dreß) do not match”.
Any idea what I did wrong, and how I can a working cert authentication?
Thanks in advance,
Albrecht.
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2019-12-06 17:52:44 | Re: Q: cert authentication and user remapping fails |
Previous Message | Adrian Klaver | 2019-12-06 17:02:49 | Re: upgrade and migrate |