On 10/29/2014 05:46 PM, Andres Freund wrote: > I like this one. But then I perhaps edited too many pam configuration > files.
It seems good to me too. I haven't looked at how viable it is in implementation terms. I think we could only properly support 'continue' on peer/ident in the v3 protocol. With other protos we need to negotiate with the client before we determine that we can't authenticate them and we send them an auth failed message. I guess we could just send a different auth request to the client instead of an auth failed message, but it might confuse clients that aren't expecting it, and it'd make it harder to report the original auth failure if we carry on to try something else. The advantage of doing it for peer/ident is that there's no conversation with the client required, so the client never needs to know that we considered peer/ident before falling back to something else. -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
