Dmitry Morozovsky <marck@rinet.ru> writes:
> There is no "fall-through" or "backup": if one record is chosen
> and the authentication fails, the following records are not
> considered.
> Are there any plans to loose this restriction?
No. I don't believe we could count on clients to respond to multiple
authentication challenges of different types.
> It would be very useful to use e.g.
> local all ident admin
> local sameuser ident sameuser
> local all password passwd.user
The "sameuser" part of this works now, since sameuser is a record
matching constraint, not an authentication test.
There has been some talk of adding a more flexible username-matching
field to pg_hba (whereupon the file name would be inappropriate ;-))
but no one's really done any work on it.
regards, tom lane