Re: Using both ident and password in pg_hba.conf

"D'Arcy J.M. Cain" <darcy(at)druid(dot)net> writes:
> Here's my situation. I have a mix of users. Some are running PHP
> sites and some are not. PHP runs as the web server owner, "nobody."
> Everyone else runs as their own user.

> Since the PHP sites run as nobody I want to require password but accept
> ident (from the server I control) for the rest. There does not appear
> to be a way to specif that. Here was one attempt:

> host all nobody 192.168.151.75/32 password
> host all all 192.168.151.75/32 ident

> But that doesn't work. The actual user according to ident is nobody
> but the request is for a specific user. As a result it isn't
> recognized by the first line so it tries ident anyway and fails.

> Is there any way to accomplish what I want? Any help appreciated.

If the same user id + database combinations might be valid in both cases
(from both PHP and manual connections) I think your only other option
for distinguishing which auth method to use is to make them come in on
different addresses. Can you set up a secondary IP interface that only
the PHP server uses, for example?

There's no provision for saying "try this auth method, but if it fails,
try subsequent hba lines". It might be interesting to have that,
particularly for methods like ident that don't involve any client
interaction. (Otherwise, you're assuming that the client can cope
with multiple challenges, which seems like a large assumption.)
I don't have much of a feeling for how hard it would be to do in the
server.

regards, tom lane