Skip site navigation (1) Skip section navigation (2)

Re: "Optional ident" authentication

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: "Florian G(dot) Pflug" <fgp(at)phlo(dot)org>, "Jeroen T(dot) Vermeulen" <jtv(at)xs4all(dot)nl>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: "Optional ident" authentication
Date: 2006-11-28 15:42:13
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Tom Lane wrote:
> "Florian G. Pflug" <fgp(at)phlo(dot)org> writes:
>> I believe it would be sufficient to add an additional column to pg_hba.conf
>> called "On Failure". The value could either be "Continue" or "Abort", with
>> the default being "Abort" to match the current behaviour.
> Then you get into the problem that it has to work for *all* auth
> methods, which in general it will not, because the client probably isn't
> prepared for multiple auth challenges.  Jeroen's kluge avoids that by
> only working for an auth method that doesn't involve a client challenge.

Yes, if we did that we'd probably have to fix libpq to allow for it (and 
any native protocol implementations such as JDBC). Can the wire protocol 
handle it?

> The example you cited is easily implemented without any new features,
> anyway, using "samegroup":
> 	local	all	samegroup	ident sameuser
> 	local	all	all		md5
> where users are made members of the group/role named after the database
> they are allowed to log into without a password.

I was just composing almost this identical example ;-)

'samegroup' is a much overlooked feature, I believe, and should be 
extremely useful for hosting providers especially.



In response to


pgsql-hackers by date

Next:From: Peter EisentrautDate: 2006-11-28 15:51:35
Subject: Short writes
Previous:From: Tom LaneDate: 2006-11-28 15:21:12
Subject: Re: "Optional ident" authentication

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group