</synopsis>
Comments, whitespace and line continuations are handled in the same way as in
<filename>pg_hba.conf</filename>. The
<replaceable>map-name</replaceable> is an arbitrary name that will be used to
refer to this mapping in <filename>pg_hba.conf</filename>. The other
two fields specify an operating system user name and a matching
database user name. The same <replaceable>map-name</replaceable> can be
used repeatedly to specify multiple user-mappings within a single map.
</para>
<para>
As for <filename>pg_hba.conf</filename>, the lines in this file can
be include directives, following the same rules.
</para>
<para>
The <filename>pg_ident.conf</filename> file is read on start-up and
when the main server process receives a
<systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
signal. If you edit the file on an
active system, you will need to signal the postmaster
(using <literal>pg_ctl reload</literal>, calling the SQL function
<function>pg_reload_conf()</function>, or using <literal>kill
-HUP</literal>) to make it re-read the file.
</para>
<para>
The system view
<link linkend="view-pg-ident-file-mappings"><structname>pg_ident_file_mappings</structname></link>
can be helpful for pre-testing changes to the
<filename>pg_ident.conf</filename> file, or for diagnosing problems if
loading of the file did not have the desired effects. Rows in the view with
non-null <structfield>error</structfield> fields indicate problems in the
corresponding lines of the file.
</para>
<para>
There is no restriction regarding how many database users a given
operating system user can correspond to, nor vice versa. Thus, entries
in a map should be thought of as meaning <quote>this operating system
user is allowed to connect as this database user</quote>, rather than
implying that they are equivalent. The connection will be allowed if
there is any map entry that pairs the user name obtained from the
external authentication system with the database user name that the
user has requested to connect as. The value <literal>all</literal>
can be used as the <replaceable>database-username</replaceable> to specify
that if the <replaceable>system-username</replaceable> matches, then this
user is allowed to log in as any of the existing database users. Quoting
<literal>all</literal> makes the keyword lose its special meaning.
</para>
<para>
If the <replaceable>database-username</replaceable> begins with a
<literal>+</literal> character, then the operating system user can login as
any user belonging to that role, similarly to how user names beginning with
<literal>+</literal> are treated in <literal>pg_hba.conf</literal>.
Thus, a <literal>+</literal> mark means <quote>match any of the roles that
are directly or indirectly members of this role</quote>, while a name
without a <literal>+</literal> mark matches only that specific role. Quoting
a username starting with a <literal>+</literal> makes the
<literal>+</literal> lose its special meaning.
</para>
<para>
If the <replaceable>system-username</replaceable> field starts with a slash (<literal>/</literal>),
the remainder of the field is treated as a regular expression.
(See <xref linkend="posix-syntax-details"/> for details of
<productname>PostgreSQL</productname>'s regular expression syntax.) The regular
expression can include a single capture, or parenthesized subexpression,
which can then be referenced in the <replaceable>database-username</replaceable>
field as <literal>\1</literal> (backslash-one). This allows the mapping of
multiple user names in a single line, which is particularly useful for
simple syntax substitutions. For example, these entries
<programlisting>
mymap /^(.*)@mydomain\.com$ \1
mymap /^(.*)@otherdomain\.com$ guest
</programlisting>
will remove the domain part