| From: | Gilles Darold <gilles(at)darold(dot)net> |
|---|---|
| To: | raphi <raphi(at)crashdump(dot)ch>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: password rules |
| Date: | 2025-06-24 12:28:41 |
| Message-ID: | bb9a5165-6581-458f-9599-258923abb28e@darold.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Le 24/06/2025 à 07:18, raphi a écrit :
>
>
> Am 23.06.2025 um 22:39 schrieb Christoph Berg:
>> Re: raphi
>>> Sorry for this rather long (first) email on this list but I feel
>>> like I had
>>> to explain our usecase and why LDAP is not always as simple as
>>> adding a line
>>> to hba.conf.
>> Did you give the "pam" method a try? T
> Not really because it's a local solution. How do you change passwords
> or keep history on your standby nodes? Besides, the documentation says
> that postgres can't handle /etc/shadow because it runs unprivileged,
> only pam_ldap would work. Or am I missing something?
>
> have fun,
> raphi
I think the credcheck extension has been created to handle the features
you are requesting.
> - enforce some password complexity and prevent reuse
This is already implemented.
> - expire a password immediately after creating and prompt the user to
change it upon first login try. They can connect with the initial
> password but cannot login until they've set a new password.
I have started to work some weeks ago and it just need more time to
end/polish the job.
> the password history is not being replicated to the standby so we can
not use it.
It is in my TODO list for a year as you noted and will try to implement
it this summer.
--
Gilles Darold
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2025-06-24 15:26:40 | Re: pg_combinebackup failure |
| Previous Message | Kouber Saparev | 2025-06-24 09:31:55 | pg_combinebackup failure |