Hi,
Since PostgreSQL 12 (0516c61b756e39) we have allowed for the ability to
set "clientcert=verify-full" against various HBA authentication methods.
This provides the ability to provide "multi-factor authentication" e.g.
a client must provide both a valid certificate with a CN (or DN) that
matches the user account, as well as a separate authentication challenge
(e.g. a password).
With certificate-based authentication methods and other methods, we
allow for users to specify a mapping in pg_ident, e.g. if one needs to
perform a rewrite on the CN to match the username that is specified
within PostgreSQL.
It seems logical that we should allow for something like:
hostssl all all all scram-sha-256 clientcert=verify-full map=map
so we can accept certificates that may have CNs that can be mapped to a
PostgreSQL user name.
Currently we can't do this, as one will get the error:
> authentication option "map" is only valid for authentication methods
> ident, peer, gssapi, sspi, and cert
I propose the below patch to add the currently supported password
methods, scram-sha-256 + md5 to allow for the "map" parameter to be
used. I hesitate to add md5 given we're trying to phase it out, so open
to debate there.
With my testing, this does work when you specify clientcert=verify-full:
PostgreSQL will correctly map the certificate. If you do not have
clientcert=verify-full, the mapping appears to do nothing.
If this seems acceptable/valid, I'll add the appropriate documentation
and whatever else may be required.
Thanks,
Jonathan