On Wed, Nov 30, 2011 at 09:23, Heiko Wundram <modelnine@modelnine.org> wrote:
> Am 29.11.2011 23:49, schrieb Tom Lane:
>>
>> Another way that we've sometimes recommended people handle custom login
>> restrictions is
>> (1) use PAM for authentication
>> (2) find or write a PAM plugin that makes the kind of check you want
>
> Very interesting - I'll first try the connlimit approach hinted at by Filip,
> but if PostgreSQL does normal session setup/teardown using PAM (I've never
> used PAM authentication for PostgreSQL before), this should be a workable
> solution in case using iptables doesn't turn out to properly handle
> disconnected sessions quickly enough.
I don't believe we do teardown using PAM, just session start. So you'd
have to have your PAM module check the current state of postgresql
every time - not keep some internal state.
FWIW, another option for writing your authentication module is to
write a simple RADIUS server running on the same box. It's pretty
trivial to do, especially in a high level language. The end result is
the same as if you use PAM - you get custom authentication that can
apply specific checks.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/