Le 24/06/2025 à 07:18, raphi a écrit :
>
>
> Am 23.06.2025 um 22:39 schrieb Christoph Berg:
>> Re: raphi
>>> Sorry for this rather long (first) email on this list but I feel
>>> like I had
>>> to explain our usecase and why LDAP is not always as simple as
>>> adding a line
>>> to hba.conf.
>> Did you give the "pam" method a try? T
> Not really because it's a local solution. How do you change passwords
> or keep history on your standby nodes? Besides, the documentation says
> that postgres can't handle /etc/shadow because it runs unprivileged,
> only pam_ldap would work. Or am I missing something?
>
> have fun,
> raphi
I think the credcheck extension has been created to handle the features
you are requesting.
> - enforce some password complexity and prevent reuse
This is already implemented.
> - expire a password immediately after creating and prompt the user to
change it upon first login try. They can connect with the initial
> password but cannot login until they've set a new password.
I have started to work some weeks ago and it just need more time to
end/polish the job.
> the password history is not being replicated to the standby so we can
not use it.
It is in my TODO list for a year as you noted and will try to implement
it this summer.
--
Gilles Darold
