Not to get off topic, can you authenticate database users via Kerberos?
Thanks,
~Ben
On Wed, Mar 7, 2018 at 10:19 AM, Stephen Frost <sfrost@snowman.net> wrote:
Greetings, * Bjørn T Johansen (btj@havleik.no) wrote: > Is it possible to use one authentication method as default, like LDAP, and if the user is not found, then try to authenticate using > md5/scram-sha-256 ?
Not directly in pg_hba.conf. You might be able to construct a system which works like this using PAM though, but it wouldn't be much fun.
LDAP use really should be discouraged as it involves sending the password to the PG server. If you are operating in an active directory environment then you should be using GSSAPI/Kerberos.
SCRAM is a good alternative as it doesn't send the password to the server either, though that is only available in PG10, of course.
