A couple {days,weeks} ago, someone sent an email to one of the pgsql-*
lists asking if anybody had thought about implementing the glue to use PAM
as authentication method for PostgreSQL. Having thought about being able
to easily drop in various external authentication agents, I've been
thinking about using PAM for PostgreSQL for a while... The recent thread
inspired me, and I have now finished (and tested - imagine that :) the
code.
I vaguely remember there were a few points brought up for discussion
during the short thread - unfortunately I was unable to find it in the
archives (the search somehow seems not to be working (anymore)) - and I
deleted all but one email - the one from Peter:
> Peter Eisentraut writes:
> Konstantinos Agouros writes:
> > I would really like to be able to use external authentication-methods
> > (the password not the itself) to avoid setting up pass- words.
>
> What particular method that does not use passwords are you interested in?
I think is question should be read as "... to avoid having to set up local
postgresql passwords."
... Imagine the following scenario:
Relatively large enterprise (6000+ employees), where several departments
have a need to use databases of various kinds. (Currently, unfortunately,
all Access Shared filesystem databases... Yuk.)
Nice shiny PostgreSQL server sitting in the corner with lots of
(currently) free disk space on it - places where, through ODBC, we could
stuff the data from all these access databases, and 1) get them off the
network (and off IPX), and 2) central repository that is easy to back up,
administrate, etc...
Now, it would be annoying to have to maintain local passwords for
PostgreSQL for all of the X number of users who will be having tablespace
on this server. This would be an excellent place for PAM, in cooperation
with something like pam_ldap - the module that lets PAM authenticate into
LDAP (which, in our case, sits on top of NDS, and contains all the
user/etc information.)
I have several other examples where this could come in handy (Oddly
enough, most of them involving LDAP... imagine that. :)
Is there any discussion before I submit the patch to -patches?
-Dominic
--
Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/