Le 24/06/2025 à 07:18, raphi a écrit :
Am 23.06.2025 um 22:39 schrieb Christoph Berg:
Re: raphi
Sorry for this rather long (first) email on this list but I feel
like I had
to explain our usecase and why LDAP is not always as simple as
adding a line
to hba.conf.
Did you give the "pam" method a try? T
Not really because it's a local solution. How do you change passwords
or keep history on your standby nodes? Besides, the documentation says
that postgres can't handle /etc/shadow because it runs unprivileged,
only pam_ldap would work. Or am I missing something?
have fun,
raphi
I think the credcheck extension has been created to handle the features
you are requesting.
> - enforce some password complexity and prevent reuse
This is already implemented.
> - expire a password immediately after creating and prompt the user to
change it upon first login try. They can connect with the initial
> password but cannot login until they've set a new password.
I have started to work some weeks ago and it just need more time to
end/polish the job.
> the password history is not being replicated to the standby so we can
not use it.
It is in my TODO list for a year as you noted and will try to implement
it this summer.
--
Gilles Darold
