John Sidney-Woollett wrote:
> Keith G. Murphy said:
>
>>That sounds like an excellent compromise. How do you typically handle
>>the mechanics of authentication from web server to PostgreSQL on the
>>connect, using this scheme?
>
>
> Sorry but I can't help you out here, I'm too much of a newbie with
> Postgres - I was hoping that someone else would answer your part 1! :)
>
> John
>
Perhaps I can answer my own question. I could use ident and a map that
lists the web server username as able to map to the different "role"
usernames. Unfortunately, that still would allow the web server account
to "fake" role names.
If the "real" PostgreSQL accounts do not coincide to the
browser-authenticated usernames, I don't see a good way to use PAM/LDAP
or another mechanism to require that PostgreSQL itself makes sure that
the given username and password are valid. Not saying that's a big
problem, but...
Hmmm, mightn't it be kind of nice if there were PAM or krb5 maps in
addition to ident maps?
--
Why waste time learning when ignorance is instantaneous?
-- Hobbes