On 10/29/2014 02:52 AM, Craig Ringer wrote: > On 10/29/2014 05:46 PM, Andres Freund wrote: >> I like this one. But then I perhaps edited too many pam configuration >> files. > > It seems good to me too. I haven't looked at how viable it is in > implementation terms. > > I think we could only properly support 'continue' on peer/ident in the > v3 protocol. With other protos we need to negotiate with the client > before we determine that we can't authenticate them and we send them an > auth failed message. > > I guess we could just send a different auth request to the client > instead of an auth failed message, but it might confuse clients that > aren't expecting it, and it'd make it harder to report the original auth > failure if we carry on to try something else. > > The advantage of doing it for peer/ident is that there's no conversation > with the client required, so the client never needs to know that we > considered peer/ident before falling back to something else.
I don't see a problem with having a "continue" directive, and documenting that it only works with peer and ident. Maybe someday (protocol bump) we can have a way to make other methods continue, and then nobody will need to change their files to support the new way. -- Josh Berkus PostgreSQL Experts Inc. http://pgexperts.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
