[GENERAL] pg_ident mapping Kerberos Usernames

Hi,

I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD" to 
"user1" in postgres, or vice versa. I'm not picky about which way works.

Kerberos authentication works. I've gotten "user1" to login successfully 
with a Kerberos ticket, but I'm not able to get "user1@A.DOMAIN.TLD" to 
match.

Environment:
* PostgreSQL 9.6 from PostgreSQL repos
* CentOS 7
* FreeIPA for Kerberos, LDAP, etc.
* Realm A.DOMAIN.TLD
* "user1" database exists
* "user1" role exists
* Logging into CentOS usernames are configured to drop the domain, so 
they appear as "user1" rather then "user1@a.domain.tld".


pg_hba.conf:

local   all             postgres                                peer
host    all             all             127.0.0.1/32            md5
host    all             all             ::1/128                 md5
host    all             all             192.168.1.0/24          gss 
include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. 
Thunderbird is truncating lines.


pg_ident.conf:

testnet    /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$    \1
testnet    /^([0-9A-Za-z_-]+)$     \1


Regex that works for both in regexr.com:

/^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm


Command and lines from pg_log:

$ psql -h db0 # Logged in as user1 with Kerberos ticket

< 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: 
connection received: host=192.168.1.201 port=44918
< 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG:  connection 
authorized: user=user1 database=user1
< 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: 
disconnection: session time: 0:00:01.537 user=user1 database=user1 
host=192.168.1.201 port=44918

$ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with Kerberos 
ticket

< 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: 
connection received: host=192.168.1.201 port=44920
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > LOG: 
no match in usermap "testnet" for user "user1@A.DOMAIN.TLD" 
authenticated as "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > 
FATAL:  GSSAPI authentication failed for user "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > 
DETAIL:  Connection matched pg_hba.conf line 87: "host   all        all             192.168.1.0/24          gss
include_realm=1
 
map=testnet krb_realm=A.DOMAIN.TLD"


Is this something that is possible, or is it something where I need to 
pick one way to do it?

Thanks in advance,
Ryan


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general