raphi <raphi@crashdump.ch> writes:
> We can set a password for a role in PG but there is no way to force a
> user to change it, prevent reuse or to enforce some complexity on it. As
> I understand, that's by choice and when I ask about this, the usual
> answer is "that's not the job of a database, use LDAP for it".
> ...
> Is there any chance PG will provide this natively or are there any
> technical limitations I am unaware of?
I think we have pretty much decided that that will never be part of
core Postgres. If you don't like using an extension for it, you're
out of luck. (The core developers have too much to do already, so
we are never going to be receptive to arguments like "I don't want
to use an extension". But in this case the space of possible
requirements is so large that it doesn't make sense to try to build
a one-size-fits-all in-core solution.)
Extension or not, there are serious objections to many aspects of
such a feature, namely that they can't be enforced without requiring
clients to send cleartext passwords to the server. That in itself
is a security problem. For that matter, the whole business of using
passwords rather than other ID technologies (SSL certificates,
Kerberos/GSS tickets, etc) is feeling pretty twentieth-century.
regards, tom lane
