Hello hackers,
I'd like to do this to postinit.c:
PerformAuthentication(MyProcPort);
+ AcceptInvalidationMessages();
InitializeSessionUserId(username, useroid);
Any objections? Motivation:
Many people use custom scripts, ldap2pg or other similar tools to
synchronise or manage their PostgreSQL roles from an LDAP server.
Doing that in a cron job works pretty well, but you have to wait for
the next cron job run after you make a change. Based on several
requests from the field (basically, ex-SQL Server shops, where they
love Active Directory group-based authorisation), I started wondering
if it would be crazy to do incremental per-user synchronisation at at
the moment of authentication. New hooks don't seem to be necessary,
since PAM is designed for things like that -- for example creating
your Unix home directory on demand. But I ran into one small problem:
PostgreSQL doesn't see catalog changes that happened during
authentication because of caching.
For example, you might put this in pg_hba.conf:
host all all all pam pamservice=postgresql
... and then put this in /etc/pam.d/postgresql:
auth required pam_ldap.so config=/path/to/ldap.conf
auth required pam_exec.so /path/to/ldap2pg --sync-pam-user
account required pam_permit.so
That's a fictional ldap2pg option that would synchronise only the user
passed to it in $PAM_USER. A high performance version could do
authentication and role synchronisation at the same time (perhaps
using the LDAP server's change notification/counter to skip having to
connect back to PostgreSQL to inspect catalogs in the common case that
nothing changed).
If you try things like that today, it works but any roles created
during authentication are (sometimes?) not visible to PostgreSQL until
your *next* attempt to log in.
--
Thomas Munro
http://www.enterprisedb.com
