On Sat, Sep 9, 2017 at 6:44 PM, <techmail+pg...@dangertoaster.com> wrote:
> Hi, > > I'm trying to get pg_ident to map "user1" and "us...@a.domain.tld" to > "user1" in postgres, or vice versa. I'm not picky about which way works. > > Kerberos authentication works. I've gotten "user1" to login successfully > with a Kerberos ticket, but I'm not able to get "us...@a.domain.tld" to > match. > > Environment: > * PostgreSQL 9.6 from PostgreSQL repos > * CentOS 7 > * FreeIPA for Kerberos, LDAP, etc. > * Realm A.DOMAIN.TLD > * "user1" database exists > * "user1" role exists > * Logging into CentOS usernames are configured to drop the domain, so they > appear as "user1" rather then "us...@a.domain.tld". > > > pg_hba.conf: > > local all postgres peer > host all all 127.0.0.1/32 md5 > host all all ::1/128 md5 > host all all 192.168.1.0/24 gss > include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. > Thunderbird is truncating lines. > > > pg_ident.conf: > > testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1 > testnet /^([0-9A-Za-z_-]+)$ \1 > > > Regex that works for both in regexr.com: > > /^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm > > > Command and lines from pg_log: > > $ psql -h db0 # Logged in as user1 with Kerberos ticket > > < 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: connection > received: host=192.168.1.201 port=44918 > < 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG: connection > authorized: user=user1 database=user1 > < 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: disconnection: > session time: 0:00:01.537 user=user1 database=user1 host=192.168.1.201 > port=44918 > > $ psql -h db0 -U us...@a.domain.tld # Logged in as user1 with Kerberos > ticket > > < 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: connection > received: host=192.168.1.201 port=44920 > < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 us...@a.domain.tld > LOG: > no match in usermap "testnet" for user "us...@a.domain.tld" authenticated > as "us...@a.domain.tld" > < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 us...@a.domain.tld > > FATAL: GSSAPI authentication failed for user "us...@a.domain.tld" > < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 us...@a.domain.tld > > DETAIL: Connection matched pg_hba.conf line 87: "host all > all 192.168.1.0/24 gss include_realm=1 > map=testnet krb_realm=A.DOMAIN.TLD" > > > Is this something that is possible, or is it something where I need to > pick one way to do it? > This looks like you are trying to connect with the actual username user1¡A.DOMAIN.TLD. pg_ident only sets what you are allowed to log in as, not what it will attempt. If you are using psql, you are probably doing something like "psql -h myserver". You need to add the user, so "psql -h myserver -U user1", to instruct it of which username to actually use for the login. -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
