Alvaro Herrera wrote:
> On Wed, Apr 27, 2005 at 12:03:54PM -0400, Bruce Momjian wrote:
> > Tom Lane wrote:
> > > momjian@svr1.postgresql.org (Bruce Momjian) writes:
> > > > Mention that PAM requires the user already exist in the database, per
> > > > Dick Davies.
> > >
> > > I don't recall exactly what Dick suggested, but the patch as applied
> > > seems like fairly useless verbiage. Exactly which of our other auth
> > > methods allow users who *don't* exist in the database to log in?
> > > And why would anyone find it surprising that this does not happen?
> >
> > Can someone comment if having to create the database user account to use
> > PAM is something that people forget? Is there increased confusion
> > because PAM is usually used for the operating system usernames?
> >
> > Attached is the addition I made to the docs recently. Is it useful?
>
> Yes, because PAM works different on other systems, specially if it's
> configured to use LDAP or some such. Though I'd rephrase with something
> like
>
> > default PAM service name is <literal>postgresql</literal>. You can
> > optionally supply your own service name after the <literal>pam</>
> > key word in the file <filename>pg_hba.conf</filename>.
> > ! Note that PAM is only used to validate username/password pairs;
> > ! therefore, the user must already exist in the database before PAM
> > ! can be used for authentication. For more information about
> > ! PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">
OK, update done:
PAM is used only to validate username/password pairs.
Therefore the user must already exist in the database before PAM
can be used for authentication.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073