Re: "Optional ident" authentication

"Florian G. Pflug" <fgp@phlo.org> writes:
> I believe it would be sufficient to add an additional column to pg_hba.conf
> called "On Failure". The value could either be "Continue" or "Abort", with
> the default being "Abort" to match the current behaviour.

Then you get into the problem that it has to work for *all* auth
methods, which in general it will not, because the client probably isn't
prepared for multiple auth challenges.  Jeroen's kluge avoids that by
only working for an auth method that doesn't involve a client challenge.

The example you cited is easily implemented without any new features,
anyway, using "samegroup":
local    all    samegroup    ident sameuserlocal    all    all        md5

where users are made members of the group/role named after the database
they are allowed to log into without a password.
        regards, tom lane