Tom Lane wrote:
> "Florian G. Pflug" <fgp(at)phlo(dot)org> writes:
>> I believe it would be sufficient to add an additional column to pg_hba.conf
>> called "On Failure". The value could either be "Continue" or "Abort", with
>> the default being "Abort" to match the current behaviour.
> Then you get into the problem that it has to work for *all* auth
> methods, which in general it will not, because the client probably isn't
> prepared for multiple auth challenges. Jeroen's kluge avoids that by
> only working for an auth method that doesn't involve a client challenge.
Yes, if we did that we'd probably have to fix libpq to allow for it (and
any native protocol implementations such as JDBC). Can the wire protocol
> The example you cited is easily implemented without any new features,
> anyway, using "samegroup":
> local all samegroup ident sameuser
> local all all md5
> where users are made members of the group/role named after the database
> they are allowed to log into without a password.
I was just composing almost this identical example ;-)
'samegroup' is a much overlooked feature, I believe, and should be
extremely useful for hosting providers especially.
In response to
pgsql-hackers by date
|Next:||From: Peter Eisentraut||Date: 2006-11-28 15:51:35|
|Subject: Short writes|
|Previous:||From: Tom Lane||Date: 2006-11-28 15:21:12|
|Subject: Re: "Optional ident" authentication |