On Mon, Sep 26, 2005 at 07:46:45AM +0200, Martin Pitt wrote: > --cluster would keep its meaning, --ip should be a concrete IP (like, > 127.0.0.1) which means, access is tested from that IP). Other options > should not be allowed. Then pg_test_hba would exit with 1 if there is i think it would be helpful if the other options were also allowed. for example, if method is md5, we would need to know this so that a line with ident sameuser didn't cause a false positive. > no matching rule, and with 0 if there is. In the success case, it > would print out the access method ("ident sameuser" or "md5"). It > might also be interesting whether SSL must be used or not. Maybe this > should be printed in a second line, what do you think? i think, ideally, this command shouldn't output anything if nothing needs to change, and if something needs to change it should only output what should be entered into pg_hba.conf. that way dbconfig-common could, in its debconf prompt, tell the admin what needed to be added, giving the admin a chance to do it himself/herself if preferred. > You can also specify an ident map (which few people will actually do > in practice, I guess), or a PAM service name (this does not work out > of the box, though, since postgres is not in group shadow). So should > dbconfig-common really become that complex? My gut feeling is that > "ident sameuser" is the only sensible authentication method when using > the Unix socket, at least when it comes to configuring that stuff > automatically. Let me make the spec more precise: > > --method: defaults to "md5" for TCP connections, and "ident > sameuser" for Unix socket connections > > Please let me know whether you really need more complexity. We can > always add more options later, but implementing them just for the sake > of completeness is a waste, IMHO. okay. we can always expand later if people start breaking down the doors :) sean --
Attachment:
signature.asc
Description: Digital signature