Andrew Dunstan <andrew@dunslane.net> writes:
> Alvaro Herrera wrote:
>> We do, if you have you server grabbing passwords from LDAP or whatever
>> external auth service you use. That would be more secure than anything
>> mentioned in this thread, because the password enforcement could work on
>> unencrypted passwords without adverse consequences.
> We don't have it today for passwords that postgres manages. Unless we're
> going to rely on an external auth source completely, I think there's a
> good case for the hooks, but not for any of the other "adjustments" that
> people have suggested.
Yeah. Installing LDAP or Kerberos or whatever is sensible if you have
a need for a central auth server anyway. If you are just trying to run a
database, it's a major additional investment of effort, and I can't
quibble at all with people who think that it's unreasonable to have to
do that just to have some modicum of a password policy.
I also am of the opinion that it's reasonable to provide a hook or two
for this purpose, but not to go further than that.
regards, tom lane