On Fri, 2006-12-22 at 01:20 -0600, Bruno Wolff III wrote:
> On Thu, Dec 21, 2006 at 23:43:06 +0100,
> Tomasz Ostrowski <tometzky@batory.org.pl> wrote:
> >
> > And everything I need would be very simple to do if there was an
> > option to disable self-change of passwords for ordinary users.
>
> That seems like a feature not many other people are going to want.
> You have the soruce, and it probably wouldn't be too hard to put
> in a hack to do that.
I must say, that I was tempted to try. Even though I'm at all fit to.
In my case, it is not because of blocking of self-password change, but
on quite a similar token I need:
1. password expiration - which works on the database level in such a
way, that when account/password expire, only "alter... password .."
statement is allowed for such a user. *all* other SQL statements should
result in "RAISE EXCEPTION... " - that is: transaction aborted.
2. I also need some additional *per*session* fields (of the
"client_encoding" or "search_path" variaty) in the SET/SHOW environment.
Still, I have *never* hacked the postgres, so I'm a bit reluctant here -
this may be more then a little project I fear.
But if I try, could you pls hint me on which source files and/or
functions should I start with?
Or may be the there is a "quick start for hackers" HOWTO somwhere
around?
BTW: One of the reasons I need the hack for password change/expiry is
that neither of the two 'possible' alternatives: PAM or LDAP, do not
allow for "CREATE USER ..." as per documentation in:
"http://www.postgresql.org/docs/8.2/static/auth-methods.html#AUTH-LDAP" (but may be I'm missinterpreting the docs?)
And LDAP, although most atractive, is further unnecesarly constrained by
a depencecy on SASL.
....and putting more oil into the fire. LDAP is not actually a database
- it's an '...Access Protocol', so we may choose freely the 'LDAP
backend database' ... a good relational database like postgres is an
option here .... and this is a real mass.
So I think postgres should have more extensive *native* support for
password authentication, and I'm willing to hack .... but provided my
lack of experience - pointers to HOWTOs apreciated :)
--
-R