Re: Parsing of pg_hba.conf and authentication inconsistencies

Magnus,

* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> Yeah. I think the question there is just - how likely is it that the
> same installation actually uses >1 authentication method. Personally, I
> think it's not very uncommon at all, but fact remains that as long as
> you only use one of them at a time, using a shared file doesn't matter.

We use multiple authentication types *alot*.. ident, md5, kerberos, and
gssapi are all currently in use on our systems. ident for local unix
logins, md5 for 'role' accounts and software the doesn't understand
kerberos, kerberos/gssapi depending on the age of the client library
connecting. Oh, and we use pam too.. We use some mappings now with
ident, which I'd expect to continue to do, and I've got definite plans
for mappings under Kerberos/GSSAPI once it's supported..

> > It wouldn't be very easy/clean to do that w/o breaking the existing
> > structure of pg_ident though, which makes me feel like using seperate
> > files is probably the way to go.
>
> Yeah, thats my feeling as well. Now, can someone figure out a way to do
> that without parsing the file in the postmaster? (And if we do parse it,
> there's no point in not storing the parsed version, IMHO). And if not,
> the question it comes down to is which is most important - keeping the
> parsing away, or being able to do this ;-)

I don't have an answer wrt the parsing issue, but I definitely want to
be able to do this. :)

Thanks,

Stephen