Re: Keystone auth in PostgreSQL

On Thu, Mar 15, 2012 at 6:38 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Our standard answer when someone asks for $random-auth-method is to
> suggest that they find a PAM module for it and use PAM.  I wouldn't
> want to claim that PAM is a particularly great interface for this
> sort of thing, but it's out there and I don't know of any serious
> competition.

I considered writing a PAM module to do some stuff at one time (to try
to solve the two-passwords-for-a-user problem), but the non-intrinsic
complexity to perform pretty simple tasks in the whole thing is pretty
terrible -- it ended up being more attractive to do fairly ugly role
mangling in Postgres's own authentication system.  And, like you, I
don't know of any serious competition to PAM in performing simple
authentication delegations.

--
fdr