Re: "Optional ident" authentication

Tom Lane wrote:
> "Florian G. Pflug" <fgp@phlo.org> writes:
>   
>> I believe it would be sufficient to add an additional column to pg_hba.conf
>> called "On Failure". The value could either be "Continue" or "Abort", with
>> the default being "Abort" to match the current behaviour.
>>     
>
> Then you get into the problem that it has to work for *all* auth
> methods, which in general it will not, because the client probably isn't
> prepared for multiple auth challenges.  Jeroen's kluge avoids that by
> only working for an auth method that doesn't involve a client challenge.
>   

Yes, if we did that we'd probably have to fix libpq to allow for it (and 
any native protocol implementations such as JDBC). Can the wire protocol 
handle it?

> The example you cited is easily implemented without any new features,
> anyway, using "samegroup":
>
>     local    all    samegroup    ident sameuser
>     local    all    all        md5
>
> where users are made members of the group/role named after the database
> they are allowed to log into without a password.
>
>             
>   

I was just composing almost this identical example ;-)

'samegroup' is a much overlooked feature, I believe, and should be 
extremely useful for hosting providers especially.

cheers

andrew