On Mon, 09 May 2016 17:12:22 -0400
Tom Lane <tgl@sss.pgh.pa.us> wrote:
> If the same user id + database combinations might be valid in both
> cases (from both PHP and manual connections) I think your only other
> option for distinguishing which auth method to use is to make them
> come in on different addresses. Can you set up a secondary IP
> interface that only the PHP server uses, for example?
I did think of that but how do I define that in pg_hba? The host field
only specifies the remote IP, not the local one.
> There's no provision for saying "try this auth method, but if it
> fails, try subsequent hba lines". It might be interesting to have
> that, particularly for methods like ident that don't involve any
> client interaction. (Otherwise, you're assuming that the client can
> cope with multiple challenges, which seems like a large assumption.)
> I don't have much of a feeling for how hard it would be to do in the
> server.
I had an idea that that wouldn't be so easy else we would have had it
by now. However, I am not sure that that is what is needed. I was
thinking of something like this:
host all joe@nobody 192.168.151.75/32 password
host all all 192.168.151.75/32 ident
The "all@nobody" field is meant to specify that the remote user is
nobody but that they are connecting as user joe. You would be able to
use "all" as well. You don't even need to do an ident check unless the
auth method is "trust" which would be silly anyway. In fact "password"
is the only method that even makes any sense at all.
--
D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 788 2246 (DoD#0082) (eNTP) | what's for dinner.
IM: darcy@Vex.Net, VoIP: sip:darcy@druid.net