Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> ... I think what the OP wishes
>> is that "not permitted to log in" would be checked before checking
>> password validity, and to do that we'd have to add rolcanlogin
>> to the flat password file and put the check somewhere upstream of the
>> authentication process.
> I wonder if the OP was unhappy because he created a role w/ a pw and
> then couldn't figure out why the user couldn't log in?
Hm, maybe. In that case just not filtering the entry out of the flat
file would be good enough. In hindsight I'm not sure why we indulged
in that bit of complication anyway --- it seems unlikely that an
installation would have so many nologin roles, compared to regular ones,
that the increase in size of the flat file would be objectionable.
> In general, I would say that it's correct to say 'invalid
> authentication'/'bad pw' until the user is authenticated and then say
> 'not permitted to log in' if they're not authorized (don't have
> rolcanlogin), which is I think what we do.
That *would* be the behavior if we removed the filtering.
regards, tom lane