Re: fallback authentication

On Sat, Dec 11, 2004 at 01:51:07PM -0600, Bruno Wolff III wrote:
> On Fri, Dec 10, 2004 at 20:50:56 -0500,
>   Ron Peterson <rpeterso@mtholyoke.edu> wrote:
> > On Fri, Dec 10, 2004 at 03:20:50PM -0500, Ron Peterson wrote:
> >
> > > Sometimes, however, I would like to create an account in PostgreSQL
> > > which I do not want to also maintain in LDAP.  Is it possible to
> > > configure authentication to fall through to a different method?
> >
> > I suppose the right thing to do is either
> >
> > * don't be lazy, and update my LDAP maintainance to include the
> >   required accounts, or
> >
> > * fall through in pam.  Is there anything similar in concept to
> >   libpam-pgsql, but which simply authenticates against PostgreSQL's
> >   built-in authentication mechanism?
>
> You can put per user exceptions first in your pg_hba.conf file. That way
> these people will be handled by those rules, but other users can be
> authenticated using pam.

I have:

host    all         all         127.0.0.1         255.255.255.255   md5
host    all         all         127.0.0.1         255.255.255.255   pam postgresql
host    all         all         0.0.0.0           0.0.0.0           reject

I've also tried reversing the first two lines.  Either strategy
individually works, but I'd like lookups which don't work locally to try
pam (or vice-versa).  What am I missing?

I have to use pam to authenticate my local userbase, unless I start also
maintaining the necessary postgresql password hash.  But I'd like to
also have a few local administrative accounts that don't exist in ldap.
Bottom line is, I can always put them in ldap if I really have to; I was
just hoping there was a lazier way.  I feel like I'm working harder at
being lazy than if I'd just tweak my ldap account maintainance
procedures, though... ;)

--
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso