PostgreSQL: The definitive guide
Prev	Chapter 3. Configuration of PostgreSQL	Next

3.3. The pg_ident.conf file

When specifying the ident term as a host record's authentication method, PostgreSQL uses the pg_ident.conf file to map the identifying username to a PostgreSQL username. The identifying username is the name provided by the connecting client's identd service (RFC 1413), which is required to identify the name of the system account initiating the connection. This method is similar to the trust method, but restricts access based on the identifying username.

As stated in the specification for the ident protocol, "The Identification Protocol is not intended as an authorization or access control protocol." This is only a useful method of identification for secure, controlled machines, and is not intended as a means for secure control from a wide array of external machines. This is because an identd daemon merely returns an arbitrary username describing the current system user. For example, allowing the username jworsley from an entire subnet of IP addresses would create a serious security hole, because anyone with a machine in that subnet could create a user named jworsley and become "authenticated" as a result.

The pg_ident.conf file should be located in the same path as the pg_hba.conf file or as specified by the ident_file option in the postgresql.conf. Like the pg_hba.conf, changes to the pg_ident.conf file do not require PostgreSQL to be re-started.

The content of the pg_ident.conf associates identifying usernames with PostgreSQL usernames via definitions called ident maps. This is useful for users whose system usernames do not match their PostgreSQL usernames. Some rules you should keep in mind when defining and using an ident map are:

Each ident map member is defined on a single line, which associates a map name with an identifying username, and a translated PostgreSQL username.
The pg_ident.conf file can contain multiple map names. Each group of single lines with the same associative map name are considered a single map.
The pg_hba.conf file determines the types of connections that relate to users in this file.

A single line record to define an ident map consist of 3 tokens: the name of the map, the identifying username, and the translated PostgreSQL username. This syntax is entered as follows, where each token is separated by spaces, or tabs:

mapname identname postgresqlname

mapname: The map name used in the pg_hba.conf file to refer to the ident map.
identname: The identifying username, which is generally the name of the system user attempting to establish a connection to the database. This is the name provided by the identd daemon, which must be running on the system attempting to connect.
postgresqlname: The database username which is allowed for the preceding identifying username. You may specify several lines with the same identname, but with different postgresqlname values, in order to allow a single system user access to several accounts, which do not all need to be on the same database.

As an example, suppose that the Book Town server has a set of system accounts named jdrake, jworsley, and auditor, used for two salespeople and an internal auditor, respectively.

You may wish to create a pair of ident maps for these two groups of users. Suppose that the sales department's workstation has an IP address of 192.168.1.3, and only needs access to the booktown database, while the audit department's workstation has an IP address of 192.168.1.4, and requires access to all databases. This scenario might result in a pga_hba.conf, such as the one displayed in Example 3-31.

Example 3-31. An ident configuration in pg_hba.conf

host   booktown   192.168.1.3    255.255.255.255    ident    sales
host   all        192.168.1.4    255.255.255.255    ident    audit

This host access configuration states that the sales machine may connect to the booktown database using an ident map named sales, and the audit workstation may connect to any database using an ident map named audit. Each of these maps must then be configured within the pg_ident.conf file. Example 3-32 demonstrates such a configuration.

Example 3-32. A pg_ident.conf configuration

# MAP   IDENT        POSTGRESQL_USERNAME
sales   jdrake       sales
sales   jworsley     sales
audit   auditor      sales
audit   auditor      postgres

The file shown in Example 3-32 allows either of the system users jdrake or jworsley to connect as the PostgreSQL sales user, and allows the system user named auditor to connect to PostgreSQL as either sales, or postgres.

It is possible for an identifying username to be mapped to multiple PostgreSQL usernames. This is illustrated in Example 3-32 with the auditor user.

If you wish only to use ident as a means of automatically identifying your remote username, you do not need to use the pg_ident.conf file. You can instead use the special term sameuser in the pg_hba.conf file, in place of a map name.

Again, this is similar to the trusted method, however ident sameuser restricts connections based on the username provided by identd. Providing a PostgreSQL username to connect with (e.g., with the -U flag to psql ) that is different from the name sent by identd will result in a failure to connect.

Use of the sameuser map is demonstrated in Example 3-33.

Example 3-33. A sameuser configuration

host   booktown   192.168.1.0    255.255.255.0    ident    sameuser

The host record in Example 3-33 allows any machine on the 192.168.1 network block to connect to the booktown database, using the PostgreSQL username that matches the username provided by identd. The sameuser term causes PostgreSQL to implicitly compare the requested PostgreSQL username against the name provided by identd.

Prev	Home	Next
Authentication and Encryption	Up	Encrypting sessions