Re: PAM documentation

On Wed, Apr 27, 2005 at 12:03:54PM -0400, Bruce Momjian wrote:
> Tom Lane wrote:
> > momjian(at)svr1(dot)postgresql(dot)org (Bruce Momjian) writes:
> > > Mention that PAM requires the user already exist in the database, per
> > > Dick Davies.
> >
> > I don't recall exactly what Dick suggested, but the patch as applied
> > seems like fairly useless verbiage. Exactly which of our other auth
> > methods allow users who *don't* exist in the database to log in?
> > And why would anyone find it surprising that this does not happen?
>
> Can someone comment if having to create the database user account to use
> PAM is something that people forget? Is there increased confusion
> because PAM is usually used for the operating system usernames?
>
> Attached is the addition I made to the docs recently. Is it useful?

Yes, because PAM works different on other systems, specially if it's
configured to use LDAP or some such. Though I'd rephrase with something
like

> default PAM service name is <literal>postgresql</literal>. You can
> optionally supply your own service name after the <literal>pam</>
> key word in the file <filename>pg_hba.conf</filename>.
> ! Note that PAM is only used to validate username/password pairs;
> ! therefore, the user must already exist in the database before PAM
> ! can be used for authentication. For more information about
> ! PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">

--
Alvaro Herrera (<alvherre[(at)]dcc(dot)uchile(dot)cl>)
"Porque francamente, si para saber manejarse a uno mismo hubiera que
rendir examen... ¿Quién es el machito que tendría carnet?" (Mafalda)