On Wed, 7 Mar 2018 10:19:35 -0500
Stephen Frost <sfrost@snowman.net> wrote:
> Greetings,
>
> * Bjørn T Johansen (btj@havleik.no) wrote:
> > Is it possible to use one authentication method as default, like LDAP, and if the user is not found, then try to
authenticateusing
> > md5/scram-sha-256 ?
>
> Not directly in pg_hba.conf. You might be able to construct a system
> which works like this using PAM though, but it wouldn't be much fun.
>
> LDAP use really should be discouraged as it involves sending the
> password to the PG server. If you are operating in an active directory
> environment then you should be using GSSAPI/Kerberos.
>
> SCRAM is a good alternative as it doesn't send the password to the
> server either, though that is only available in PG10, of course.
>
> Thanks!
>
> Stephen
Ok, thx... Will check out GSSAPI/Kerberos instead... :)
BTJ
