> On Wed, Mar 7, 2018 at 6:13 AM, Bjørn T Johansen <btj@havleik.no> wrote: > > > Hi. > > > > Is it possible to use one authentication method as default, like LDAP, and > > if the user is not found, then try to authenticate using > > md5/scram-sha-256 ? > > > > In the "Client Authentication" Chapter: > > https://www.postgresql.org/docs/10/static/auth-pg-hba-conf.html > > """ > The first record with a matching connection type, client address, > requested database, and user name is used to perform authentication. There > is no “fall-through” or “backup”: if one record is chosen and the > authentication fails, subsequent records are not considered. If no record > matches, access is denied. > """ >
I was hoping I had misunderstood but ok.. :)
In the specific case you describe here you could have the server poll the LDAP server periodically and cache the user names recognized and the leverage:
"Multiple user names can be supplied by separating them with commas. A separate file containing user names can be specified by preceding the file name with @."
In short, you have to pre-compute which method each user is allowed to access externally then provide that knowledge to PostgreSQL.