On Mon, Sep 26, 2005 at 07:46:45AM +0200, Martin Pitt wrote:
> --cluster would keep its meaning, --ip should be a concrete IP (like,
> 127.0.0.1) which means, access is tested from that IP). Other options
> should not be allowed. Then pg_test_hba would exit with 1 if there is
i think it would be helpful if the other options were also allowed.
for example, if method is md5, we would need to know this so that
a line with ident sameuser didn't cause a false positive.
> no matching rule, and with 0 if there is. In the success case, it
> would print out the access method ("ident sameuser" or "md5"). It
> might also be interesting whether SSL must be used or not. Maybe this
> should be printed in a second line, what do you think?
i think, ideally, this command shouldn't output anything if nothing
needs to change, and if something needs to change it should only output
what should be entered into pg_hba.conf. that way dbconfig-common
could, in its debconf prompt, tell the admin what needed to be added,
giving the admin a chance to do it himself/herself if preferred.
> You can also specify an ident map (which few people will actually do
> in practice, I guess), or a PAM service name (this does not work out
> of the box, though, since postgres is not in group shadow). So should
> dbconfig-common really become that complex? My gut feeling is that
> "ident sameuser" is the only sensible authentication method when using
> the Unix socket, at least when it comes to configuring that stuff
> automatically. Let me make the spec more precise:
>
> --method: defaults to "md5" for TCP connections, and "ident
> sameuser" for Unix socket connections
>
> Please let me know whether you really need more complexity. We can
> always add more options later, but implementing them just for the sake
> of completeness is a waste, IMHO.
okay. we can always expand later if people start breaking down the doors :)
sean
--
Attachment:
signature.asc
Description: Digital signature