I've given an initial review of this patch. It applies cleanly and compiles without issue as of 6da9759. I'm going to continue with testing it against a set of RADIUS servers in the next few days. But in the meantime, I have a few questions (below).
> It supports multiple RADIUS servers. For all other parameters (secret, port, > identifier) one can specify either the exact same number of entries, in > which case each server gets it's own, or exactly one entry in which case > that entry will apply to all servers. (Or zero entries for everything except > secret, which will make it the default). I wonder if removing the complexity of maintaining two separate lists for the server and port would be a better/less complex approach. For instance, why not go with a list of typical 'host:port' strings for 'radiusservers'? If no port is specified, then simply use the default for that specific host. Therefore, we would not have to worry about keeping the two lists in sync. Thoughts? > Each server is tried in order. If it responds positive, auth is OK. If it > responds negative, auth is rejected. If it does not respond at all, we move > on to the next one. > > I'm wondering if in doing this we should also make the RADIUS timeout a > configurable as HBA option, since it might become more important now? Yes, I think this would make sense and would be a good idea. -Adam -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
