* Tom Lane ([EMAIL PROTECTED]) wrote: > We could certainly change flatfiles.c to disregard rolcanlogin, which'd > actually make the code simpler. However, that in itself wouldn't change > the behavior, unless you were to assign a password to the NOLOGIN role > which seems a fairly strange thing to do. I think what the OP wishes > is that "not permitted to log in" would be checked before checking > password validity, and to do that we'd have to add rolcanlogin > to the flat password file and put the check somewhere upstream of the > authentication process.
I wonder if the OP was unhappy because he created a role w/ a pw and then couldn't figure out why the user couldn't log in? I've run into that in the past and it takes some leg-work to figure out what's going on. A warning on a 'create role' or 'alter role' command which sets a password when 'rolcanlogin' is false might be an alternative way to 'fix' this. In general, I would say that it's correct to say 'invalid authentication'/'bad pw' until the user is authenticated and then say 'not permitted to log in' if they're not authorized (don't have rolcanlogin), which is I think what we do. That combined with the warning above would, I think, cover most of problem cases. Thanks, Stephen
signature.asc
Description: Digital signature