> * Eventual Retirement of old credentials without having to issue ALTER
> statements (or really statements of any kind...) against application
> schema objects.
OK, that's a different goal. You want to be able to expire passwords
with an overlap period. That's quite different from wanting an
indefinfite number of passwords per role.
Mind you, the main way to do this right now ... and where you're going
to get pushback ... is using LDAP, ActiveDirectory or similar. At a
certain point we have to draw the line and say "PostgreSQL is not an
authtenication server". I don't know exactly where that line is, but
recognize that you're arguing about where to draw it.
-- -- Josh Berkus PostgreSQL Experts Inc.
http://www.pgexperts.com