On Sat, 2021-03-06 at 18:33 +0100, Magnus Hagander wrote: > In fact, if we're storing it in the Port, why > are we even passing it as a separate parameter to check_usermap -- > shouldn't that one always use this same value?
Ah, and now I remember why I didn't consolidate this to begin with. Several auth methods perform some sort of translation before checking the usermap: cert pulls the CN out of the Subject DN, SSPI and GSS can optionally strip the realm, etc. > ISTM that it could be > quite confusing if the logged value is different from whatever we > apply to the user mapping? Maybe. But it's an accurate reflection of what's actually happening, and that's the goal of the patch: show enough information to be able to audit who's logging in. The certificates /OU=ACME Ltd./C=US/CN=pchampion and /OU=Postgres/C=GR/CN=pchampion are different identities, but Postgres will silently authorize them to log in as the same user. In my opinion, hiding that information makes things more confusing in the long term, not less. --Jacob