X-Original-To: pgsql-docs-postgresql.org@localhost.postgresql.org
Received: from localhost (unknown [200.46.204.144])
	by svr1.postgresql.org (Postfix) with ESMTP id 339E5533E9
	for <pgsql-docs-postgresql.org@localhost.postgresql.org>;
	Wed, 27 Apr 2005 17:11:26 -0300 (ADT)
Received: from svr1.postgresql.org ([200.46.204.71])
	by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024)
	with ESMTP id 48229-10
	for <pgsql-docs-postgresql.org@localhost.postgresql.org>;
	Wed, 27 Apr 2005 20:11:21 +0000 (GMT)
Received: from candle.pha.pa.us (candle.pha.pa.us [64.139.89.126])
	by svr1.postgresql.org (Postfix) with ESMTP id 0100B537FB
	for <pgsql-docs@postgresql.org>; Wed, 27 Apr 2005 17:11:18 -0300 (ADT)
Received: (from pgman@localhost)
	by candle.pha.pa.us (8.11.6/8.11.6) id j3RKBGt19907;
	Wed, 27 Apr 2005 16:11:16 -0400 (EDT)
From: Bruce Momjian <pgman@candle.pha.pa.us>
Message-Id: <200504272011.j3RKBGt19907@candle.pha.pa.us>
Subject: Re: PAM documentation
In-Reply-To: <20050427163120.GA27525@dcc.uchile.cl>
To: Alvaro Herrera <alvherre@dcc.uchile.cl>
Date: Wed, 27 Apr 2005 16:11:16 -0400 (EDT)
Cc: Tom Lane <tgl@sss.pgh.pa.us>,
	PostgreSQL-documentation <pgsql-docs@postgresql.org>,
	rasputnik@hellooperator.net
X-Mailer: ELM [version 2.4ME+ PL121 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
X-Virus-Scanned: by amavisd-new at hub.org
X-Spam-Status: No, hits=0.01 tagged_above=0 required=5 tests=AWL
X-Spam-Level: 
X-Archive-Number: 200504/31
X-Sequence-Number: 2961

Alvaro Herrera wrote:
> On Wed, Apr 27, 2005 at 12:03:54PM -0400, Bruce Momjian wrote:
> > Tom Lane wrote:
> > > momjian@svr1.postgresql.org (Bruce Momjian) writes:
> > > > Mention that PAM requires the user already exist in the database, per
> > > > Dick Davies.
> > > 
> > > I don't recall exactly what Dick suggested, but the patch as applied
> > > seems like fairly useless verbiage.  Exactly which of our other auth
> > > methods allow users who *don't* exist in the database to log in?
> > > And why would anyone find it surprising that this does not happen?
> > 
> > Can someone comment if having to create the database user account to use
> > PAM is something that people forget?  Is there increased confusion
> > because PAM is usually used for the operating system usernames?
> > 
> > Attached is the addition I made to the docs recently.  Is it useful?
> 
> Yes, because PAM works different on other systems, specially if it's
> configured to use LDAP or some such.  Though I'd rephrase with something
> like
> 
> >       default PAM service name is <literal>postgresql</literal>. You can
> >       optionally supply your own service name after the <literal>pam</>
> >       key word in the file <filename>pg_hba.conf</filename>.
> > !     Note that PAM is only used to validate username/password pairs;
> > !     therefore, the user must already exist in the database before PAM
> > !     can be used for authentication.  For more information about 
> > !     PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">

OK, update done:

    PAM is used only to validate username/password pairs.
    Therefore the user must already exist in the database before PAM
    can be used for authentication.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073