On 08/14/2012 05:03 PM, Michael Braun wrote:
Hi,

I've just recently upgraded to postgrsql 9.1 and also hit bug #5763.
Having +group not match all superusers is essential to be able to assign
different authentication backends to different superusers with needing
to edit configuration files on the radius host system. E.g. to be able
to authenticate some against ldap services and some against the password
stored in the database, so the superusers can opt into the central
authentication system if they want to. With the old postgresql version,
all user managers would only need postgresql tcp access, no access to
files or similar.

Could the different behaviour (superusers matching all/not all group
entries in hba.conf) perhaps become a configuration item?



This is a feature in the upcoming 9.2. IIRC the consensus was not to backport it. There is no point in making it a configuration item, really, since the workaround for the old behaviour would be to add the superusers explicitly to the required groups. If you're interested and want to apply it to your own build, it's pretty much a one line patch: See <https://github.com/postgres/postgres/commit/94cd0f1ad8af722a48a30a1087377b52ca99d633>

cheers

andrew


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to