On Wed, Nov 30, 2011 at 09:23, Heiko Wundram <modelnine@xxxxxxxxxxxxx> wrote: > Am 29.11.2011 23:49, schrieb Tom Lane: >> >> Another way that we've sometimes recommended people handle custom login >> restrictions is >> (1) use PAM for authentication >> (2) find or write a PAM plugin that makes the kind of check you want > > Very interesting - I'll first try the connlimit approach hinted at by Filip, > but if PostgreSQL does normal session setup/teardown using PAM (I've never > used PAM authentication for PostgreSQL before), this should be a workable > solution in case using iptables doesn't turn out to properly handle > disconnected sessions quickly enough. I don't believe we do teardown using PAM, just session start. So you'd have to have your PAM module check the current state of postgresql every time - not keep some internal state. FWIW, another option for writing your authentication module is to write a simple RADIUS server running on the same box. It's pretty trivial to do, especially in a high level language. The end result is the same as if you use PAM - you get custom authentication that can apply specific checks. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
