Re: Authentication?

On Wed, Mar 7, 2018 at 8:14 AM, Bjørn T Johansen <btj(at)havleik(dot)no> wrote:

> On Wed, 7 Mar 2018 07:14:55 -0700
> "David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> wrote:
>
> > On Wed, Mar 7, 2018 at 6:13 AM, Bjørn T Johansen <btj(at)havleik(dot)no> wrote:
> >
> > > Hi.
> > >
> > > Is it possible to use one authentication method as default, like LDAP,
> and
> > > if the user is not found, then try to authenticate using
> > > md5/scram-sha-256 ?
> > >
> >
> > ​In the "Client Authentication" Chapter:​
> >
> > ​https://www.postgresql.org/docs/10/static/auth-pg-hba-conf.html​
> >
> > ​"""
> > ​The first record with a matching connection type, client address,
> > requested database, and user name is used to perform authentication.
> There
> > is no “fall-through” or “backup”: if one record is chosen and the
> > authentication fails, subsequent records are not considered. If no record
> > matches, access is denied.
> > """
> >
>
> I was hoping I had misunderstood but ok.. :)
>

​In the specific case you describe here you could have the server poll the
LDAP server periodically and cache the user names recognized and the
leverage:

"​Multiple user names can be supplied by separating them with commas. A
separate file containing user names can be specified by preceding the file
name with @."

In short, you have to pre-compute which method each user is allowed to
access externally then provide that knowledge to PostgreSQL.

David J.