X-Original-To: pgsql-docs-postgresql.org@localhost.postgresql.org
Received: from localhost (unknown [200.46.204.144])
	by svr1.postgresql.org (Postfix) with ESMTP id D231E5364F
	for <pgsql-docs-postgresql.org@localhost.postgresql.org>;
	Wed, 27 Apr 2005 13:31:52 -0300 (ADT)
Received: from svr1.postgresql.org ([200.46.204.71])
	by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024)
	with ESMTP id 10936-07
	for <pgsql-docs-postgresql.org@localhost.postgresql.org>;
	Wed, 27 Apr 2005 16:31:42 +0000 (GMT)
Received: from sunsite.dcc.uchile.cl (sunsite.dcc.uchile.cl [192.80.24.2])
	by svr1.postgresql.org (Postfix) with ESMTP id 7809753794
	for <pgsql-docs@postgresql.org>; Wed, 27 Apr 2005 13:31:41 -0300 (ADT)
Received: from anakena.dcc.uchile.cl (anakena [192.80.24.6])
	by sunsite.dcc.uchile.cl (8.12.11/8.12.11) with ESMTP id j3RGVLVD015324;
	Wed, 27 Apr 2005 12:31:21 -0400 (CLT)
Received: by anakena.dcc.uchile.cl (Postfix, from userid 4151)
	id 0D39A53907; Wed, 27 Apr 2005 12:31:20 -0400 (CLT)
Date: Wed, 27 Apr 2005 12:31:20 -0400
From: Alvaro Herrera <alvherre@dcc.uchile.cl>
To: Bruce Momjian <pgman@candle.pha.pa.us>
Cc: Tom Lane <tgl@sss.pgh.pa.us>,
	PostgreSQL-documentation <pgsql-docs@postgresql.org>,
	rasputnik@hellooperator.net
Subject: Re: PAM documentation
Message-ID: <20050427163120.GA27525@dcc.uchile.cl>
References: <28107.1114492614@sss.pgh.pa.us>
	<200504271603.j3RG3sb08088@candle.pha.pa.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <200504271603.j3RG3sb08088@candle.pha.pa.us>
User-Agent: Mutt/1.5.8i
X-Virus-Scanned: by amavisd-new at hub.org
X-Spam-Status: No, hits=0.34 tagged_above=0 required=5 tests=AWL,
	DNS_FROM_RFC_ABUSE
X-Spam-Level: 
X-Archive-Number: 200504/30
X-Sequence-Number: 2960

On Wed, Apr 27, 2005 at 12:03:54PM -0400, Bruce Momjian wrote:
> Tom Lane wrote:
> > momjian@svr1.postgresql.org (Bruce Momjian) writes:
> > > Mention that PAM requires the user already exist in the database, per
> > > Dick Davies.
> > 
> > I don't recall exactly what Dick suggested, but the patch as applied
> > seems like fairly useless verbiage.  Exactly which of our other auth
> > methods allow users who *don't* exist in the database to log in?
> > And why would anyone find it surprising that this does not happen?
> 
> Can someone comment if having to create the database user account to use
> PAM is something that people forget?  Is there increased confusion
> because PAM is usually used for the operating system usernames?
> 
> Attached is the addition I made to the docs recently.  Is it useful?

Yes, because PAM works different on other systems, specially if it's
configured to use LDAP or some such.  Though I'd rephrase with something
like

>       default PAM service name is <literal>postgresql</literal>. You can
>       optionally supply your own service name after the <literal>pam</>
>       key word in the file <filename>pg_hba.conf</filename>.
> !     Note that PAM is only used to validate username/password pairs;
> !     therefore, the user must already exist in the database before PAM
> !     can be used for authentication.  For more information about 
> !     PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">


-- 
Alvaro Herrera (<alvherre[@]dcc.uchile.cl>)
"Porque francamente, si para saber manejarse a uno mismo hubiera que
rendir examen... ¿Quién es el machito que tendría carnet?"  (Mafalda)