On 10/29/2014 05:46 PM, Andres Freund wrote:
> I like this one. But then I perhaps edited too many pam configuration
> files.
It seems good to me too. I haven't looked at how viable it is in
implementation terms.
I think we could only properly support 'continue' on peer/ident in the
v3 protocol. With other protos we need to negotiate with the client
before we determine that we can't authenticate them and we send them an
auth failed message.
I guess we could just send a different auth request to the client
instead of an auth failed message, but it might confuse clients that
aren't expecting it, and it'd make it harder to report the original auth
failure if we carry on to try something else.
The advantage of doing it for peer/ident is that there's no conversation
with the client required, so the client never needs to know that we
considered peer/ident before falling back to something else.
-- Craig Ringer http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services