Keith G. Murphy said:Perhaps I can answer my own question. I could use ident and a map that lists the web server username as able to map to the different "role" usernames. Unfortunately, that still would allow the web server account to "fake" role names.
That sounds like an excellent compromise. How do you typically handle the mechanics of authentication from web server to PostgreSQL on the connect, using this scheme?
Sorry but I can't help you out here, I'm too much of a newbie with Postgres - I was hoping that someone else would answer your part 1! :)
John
If the "real" PostgreSQL accounts do not coincide to the browser-authenticated usernames, I don't see a good way to use PAM/LDAP or another mechanism to require that PostgreSQL itself makes sure that the given username and password are valid. Not saying that's a big problem, but...
Hmmm, mightn't it be kind of nice if there were PAM or krb5 maps in addition to ident maps?
--
Why waste time learning when ignorance is instantaneous?
-- Hobbes
---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
