User Name Maps in PostgreSQL Authentication

ADDRESS METHOD host all all 192.168.0.0/16 ident map=omicron # If these are the only four lines for local connections, they will # allow local users to connect only to their own databases (databases # with the same name as their database user name) except for users whose # name end with "helpdesk", administrators and members of role "support", # who can connect to all databases. The file $PGDATA/admins contains a # list of names of administrators. Passwords are required in all cases. # # TYPE DATABASE USER ADDRESS METHOD local sameuser all md5 local all /^.*helpdesk$ md5 local all @admins md5 local all +support md5 # The last two lines above can be combined into a single line: local all @admins,+support md5 # The database column can also use lists and file names: local db1,db2,@demodbs all md5 </programlisting> </example> </sect1> <sect1 id="auth-username-maps"> <title>User Name Maps</title> <indexterm zone="auth-username-maps"> <primary>User name maps</primary> </indexterm> <para> When using an external authentication system such as Ident or GSSAPI, the name of the operating system user that initiated the connection might not be the same as the database user (role) that is to be used. In this case, a user name map can be applied to map the operating system user name to a database user. To use user name mapping, specify <literal>map</literal>=<replaceable>map-name</replaceable> in the options field in <filename>pg_hba.conf</filename>. This option is supported for all authentication methods that receive external user names. Since different mappings might be needed for different connections, the name of the map to be used is specified in the <replaceable>map-name</replaceable> parameter in <filename>pg_hba.conf</filename> to indicate which map to use for each individual connection. </para> <para> User name maps are defined in the ident map file, which by default is named <filename>pg_ident.conf</filename><indexterm><primary>pg_ident.conf</primary></indexterm> and is stored in the cluster's data directory. (It is possible to place the map file elsewhere, however; see the <xref linkend="guc-ident-file"/> configuration parameter.) The ident map file contains lines of the general forms: <synopsis> <replaceable>map-name</replaceable> <replaceable>system-username</replaceable> <replaceable>database-username</replaceable> <replaceable>include</replaceable> <replaceable>file</replaceable> <replaceable>include_if_exists</replaceable> <replaceable>file</replaceable> <replaceable>include_dir</replaceable> <replaceable>directory</replaceable> </synopsis> Comments, whitespace and line continuations are handled in the same way as in <filename>pg_hba.conf</filename>. The <replaceable>map-name</replaceable> is an arbitrary name that will be used to refer to this mapping in <filename>pg_hba.conf</filename>. The other two fields specify an operating system user name and a matching database user name. The same <replaceable>map-name</replaceable> can be used repeatedly to specify multiple user-mappings within a single map. </para> <para> As for <filename>pg_hba.conf</filename>, the lines in this file can be include directives, following the same rules. </para> <para> The <filename>pg_ident.conf</filename> file is read on start-up and when the main server process receives a <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm> signal. If you edit the file on an active system, you will need to signal the postmaster (using <literal>pg_ctl reload</literal>,

This section explains how to use user name maps in PostgreSQL to map operating system user names to database user names, particularly when using external authentication systems like Ident or GSSAPI, and describes the format and usage of the pg_ident.conf file, which defines these mappings.