Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sKivg-00Bl0I-Ie
	for pgsql-general@arkaria.postgresql.org; Fri, 21 Jun 2024 18:24:08 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sKive-0073Bm-4i
	for pgsql-general@arkaria.postgresql.org; Fri, 21 Jun 2024 18:24:06 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sKivd-0073Bd-Q8
	for pgsql-general@lists.postgresql.org; Fri, 21 Jun 2024 18:24:06 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sKivb-002rtr-Te
	for pgsql-general@postgresql.org; Fri, 21 Jun 2024 18:24:05 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 45LIO1rO630190;
	Fri, 21 Jun 2024 14:24:01 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Drew Zoellner <drewtzoellner@gmail.com>
cc: pgsql-general@postgresql.org, postgres@thewickedtribe.net
Subject: Re: Replication using mTLS issue
In-reply-to: <CAGWxRFdmR8W0O7CK-UTcBjPxRp-MSh0J_jC4GmE3JA2FaP_yaQ@mail.gmail.com>
References: <CAGWxRFfWbD3NNJcpiPA6+g+UYRHAmD6Z4+rQaHoNi5+EEt1gOg@mail.gmail.com> <603291.1718988382@sss.pgh.pa.us> <CAGWxRFdmR8W0O7CK-UTcBjPxRp-MSh0J_jC4GmE3JA2FaP_yaQ@mail.gmail.com>
Comments: In-reply-to Drew Zoellner <drewtzoellner@gmail.com>
	message dated "Fri, 21 Jun 2024 12:21:07 -0500"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <630188.1718994241.1@sss.pgh.pa.us>
Date: Fri, 21 Jun 2024 14:24:01 -0400
Message-ID: <630189.1718994241@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/630189.1718994241%40sss.pgh.pa.us>
Precedence: bulk

Drew Zoellner <drewtzoellner@gmail.com> writes:
> So the same user is able to connect using a non replication connection
> using the same mtls certificate and pg_ident.conf map. So it seems like the
> cert & map are working for this user.

Hmph.  I tried to reproduce your problem, and it works for me: I can
create a replication connection that's authenticated by certificate
and relies on a username map to map from the CN in the client
certificate to the database username that's mentioned in the "hostssl
replication" entry.

All I can suggest at this point is to go over your configuration
with a fine-tooth comb, looking for probably-silly mistakes such as
inconsistent spellings.  One thing I can think of to mention in
particular is to be sure that the standby's primary_conninfo
explicitly includes "user=pgrepmgr_nonprod", as that's likely not the
user name it'd default to.

Another idea could be to enable log_connections on the primary,
and see if the incoming connection request looks different than
you were expecting.

			regards, tom lane