On Wed, Mar 7, 2018 at 8:14 AM, Bjørn T Johansen <b...@havleik.no> wrote:
> On Wed, 7 Mar 2018 07:14:55 -0700 > "David G. Johnston" <david.g.johns...@gmail.com> wrote: > > > On Wed, Mar 7, 2018 at 6:13 AM, Bjørn T Johansen <b...@havleik.no> wrote: > > > > > Hi. > > > > > > Is it possible to use one authentication method as default, like LDAP, > and > > > if the user is not found, then try to authenticate using > > > md5/scram-sha-256 ? > > > > > > > In the "Client Authentication" Chapter: > > > > https://www.postgresql.org/docs/10/static/auth-pg-hba-conf.html > > > > """ > > The first record with a matching connection type, client address, > > requested database, and user name is used to perform authentication. > There > > is no “fall-through” or “backup”: if one record is chosen and the > > authentication fails, subsequent records are not considered. If no record > > matches, access is denied. > > """ > > > > I was hoping I had misunderstood but ok.. :) > In the specific case you describe here you could have the server poll the LDAP server periodically and cache the user names recognized and the leverage: "Multiple user names can be supplied by separating them with commas. A separate file containing user names can be specified by preceding the file name with @." In short, you have to pre-compute which method each user is allowed to access externally then provide that knowledge to PostgreSQL. David J.