Re: setting up pg_ident for peer auth with unix groups
No, there is no such mechanism. The ident service (it's not safe
as you probably know) only delivers the name of the user who has
initiated the TCP connection to the PG server.
This will be matched to the PG user the connection is supposed to
be established as. If they match, the respective line of
pg_hba.conf might grant access.
pg_ident.conf can be used to match system usernames (of the
client machine) to PG usernames.
The /etc/group file which technically could be accessed by PG
processes resides on the server and thus could be very different
from the one on the client machine. Plus, the system username used
on the client machine may not even exist on the server, nor does
the PG username have to exist as a system username on client or
Therefore, using Unix groups wouldn't make much sense.
Am 30.01.20 um 12:59 schrieb Geoff
sure if I'm missing something obvious but I can't see a way to
set up pg_ident with unix groups in the username maps.
If your goal is "allow any local user who is a member of group X
to connect", you might be able to do it by setting restrictive
filesystem privileges on the postmaster's Unix-socket file. This
has some disadvantages --- notably, there's no way to override and
let selected non-group-members in too --- but it's worth considering.
See the unix_socket_group and unix_socket_permissions GUCs.