Re: PAM documentation

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Alvaro Herrera <alvherre(at)dcc(dot)uchile(dot)cl>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-documentation <pgsql-docs(at)postgresql(dot)org>, rasputnik(at)hellooperator(dot)net
Subject: Re: PAM documentation
Date: 2005-04-27 20:11:16
Message-ID: 200504272011.j3RKBGt19907@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers pgsql-docs

Alvaro Herrera wrote:
> On Wed, Apr 27, 2005 at 12:03:54PM -0400, Bruce Momjian wrote:
> > Tom Lane wrote:
> > > momjian(at)svr1(dot)postgresql(dot)org (Bruce Momjian) writes:
> > > > Mention that PAM requires the user already exist in the database, per
> > > > Dick Davies.
> > >
> > > I don't recall exactly what Dick suggested, but the patch as applied
> > > seems like fairly useless verbiage. Exactly which of our other auth
> > > methods allow users who *don't* exist in the database to log in?
> > > And why would anyone find it surprising that this does not happen?
> >
> > Can someone comment if having to create the database user account to use
> > PAM is something that people forget? Is there increased confusion
> > because PAM is usually used for the operating system usernames?
> >
> > Attached is the addition I made to the docs recently. Is it useful?
>
> Yes, because PAM works different on other systems, specially if it's
> configured to use LDAP or some such. Though I'd rephrase with something
> like
>
> > default PAM service name is <literal>postgresql</literal>. You can
> > optionally supply your own service name after the <literal>pam</>
> > key word in the file <filename>pg_hba.conf</filename>.
> > ! Note that PAM is only used to validate username/password pairs;
> > ! therefore, the user must already exist in the database before PAM
> > ! can be used for authentication. For more information about
> > ! PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">

OK, update done:

PAM is used only to validate username/password pairs.
Therefore the user must already exist in the database before PAM
can be used for authentication.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073

In response to

Browse pgsql-committers by date

  From Date Subject
Next Message User Cmaj 2005-04-28 00:26:10 pgaccess - pgaccess: quick fix from Robert Strong to catch selecting the
Previous Message Bruce Momjian 2005-04-27 20:11:12 pgsql: Wording improvement.

Browse pgsql-docs by date

  From Date Subject
Next Message Peter Eisentraut 2005-04-28 22:23:33 Re: pgsql: Mention that PAM requires the user already exist in the database,
Previous Message Alvaro Herrera 2005-04-27 16:31:20 Re: PAM documentation