From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
---|---|
To: | Bjørn T Johansen <btj(at)havleik(dot)no> |
Cc: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Authentication? |
Date: | 2018-03-07 15:19:14 |
Message-ID: | CAKFQuwYKPsf8v_i96Ez46D+fi+wFF+Hz64TpokTU3We=fx=pGg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Wed, Mar 7, 2018 at 8:14 AM, Bjørn T Johansen <btj(at)havleik(dot)no> wrote:
> On Wed, 7 Mar 2018 07:14:55 -0700
> "David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> wrote:
>
> > On Wed, Mar 7, 2018 at 6:13 AM, Bjørn T Johansen <btj(at)havleik(dot)no> wrote:
> >
> > > Hi.
> > >
> > > Is it possible to use one authentication method as default, like LDAP,
> and
> > > if the user is not found, then try to authenticate using
> > > md5/scram-sha-256 ?
> > >
> >
> > In the "Client Authentication" Chapter:
> >
> > https://www.postgresql.org/docs/10/static/auth-pg-hba-conf.html
> >
> > """
> > The first record with a matching connection type, client address,
> > requested database, and user name is used to perform authentication.
> There
> > is no “fall-through” or “backup”: if one record is chosen and the
> > authentication fails, subsequent records are not considered. If no record
> > matches, access is denied.
> > """
> >
>
> I was hoping I had misunderstood but ok.. :)
>
In the specific case you describe here you could have the server poll the
LDAP server periodically and cache the user names recognized and the
leverage:
"Multiple user names can be supplied by separating them with commas. A
separate file containing user names can be specified by preceding the file
name with @."
In short, you have to pre-compute which method each user is allowed to
access externally then provide that knowledge to PostgreSQL.
David J.
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2018-03-07 15:19:35 | Re: Authentication? |
Previous Message | Bjørn T Johansen | 2018-03-07 15:14:11 | Re: Authentication? |