- publishing free software manuals
PostgreSQL Reference Manual - Volume 3 - Server Administration Guide
by The PostgreSQL Global Development Group
Paperback (6"x9"), 204 pages
ISBN 0954612043
RRP £13.95 ($24.95)

Sales of this book support the PostgreSQL project! Get a printed copy>>> Ident Maps

When using ident-based authentication, after having determined the name of the operating system user that initiated the connection, PostgreSQL checks whether that user is allowed to connect as the database user he is requesting to connect as. This is controlled by the ident map argument that follows the ident key word in the ‘pg_hba.conf’ file. There is a predefined ident map sameuser, which allows any operating system user to connect as the database user of the same name (if the latter exists). Other maps must be created manually.

Ident maps other than sameuser are defined in the ident map file, which by default is named ‘pg_ident.conf’ and is stored in the cluster's data directory. (It is possible to place the map file elsewhere, however; see the ident_file configuration parameter.) The ident map file contains lines of the general form:

map-name ident-username database-username

Comments and whitespace are handled in the same way as in ‘pg_hba.conf’. The map-name is an arbitrary name that will be used to refer to this mapping in ‘pg_hba.conf’. The other two fields specify which operating system user is allowed to connect as which database user. The same map-name can be used repeatedly to specify more user-mappings within a single map. There is no restriction regarding how many database users a given operating system user may correspond to, nor vice versa.

The ‘pg_ident.conf’ file is read on start-up and when the main server process receives a SIGHUP signal. If you edit the file on an active system, you will need to signal the server (using pg_ctl reload or kill -HUP) to make it re-read the file.

A ‘pg_ident.conf’ file that could be used in conjunction with the ‘pg_hba.conf’ file in section 7.1 The pg_hba.conf file is shown in section Ident Maps. In this example setup, anyone logged in to a machine on the 192.168 network that does not have the Unix user name bryanh, ann, or robert would not be granted access. Unix user robert would only be allowed access when he tries to connect as PostgreSQL user bob, not as robert or anyone else. ann would only be allowed to connect as ann. User bryanh would be allowed to connect as either bryanh himself or as guest1.

An example pg_ident.conf file:


omicron       bryanh            bryanh
omicron       ann               ann
# bob has user name robert on these machines
omicron       robert            bob
# bryanh can also connect as guest1
omicron       bryanh            guest1
ISBN 0954612043PostgreSQL Reference Manual - Volume 3 - Server Administration GuideSee the print edition