On Mon, 09 May 2016 17:12:22 -0400 Tom Lane <tgl@xxxxxxxxxxxxx> wrote: > If the same user id + database combinations might be valid in both > cases (from both PHP and manual connections) I think your only other > option for distinguishing which auth method to use is to make them > come in on different addresses. Can you set up a secondary IP > interface that only the PHP server uses, for example? I did think of that but how do I define that in pg_hba? The host field only specifies the remote IP, not the local one. > There's no provision for saying "try this auth method, but if it > fails, try subsequent hba lines". It might be interesting to have > that, particularly for methods like ident that don't involve any > client interaction. (Otherwise, you're assuming that the client can > cope with multiple challenges, which seems like a large assumption.) > I don't have much of a feeling for how hard it would be to do in the > server. I had an idea that that wouldn't be so easy else we would have had it by now. However, I am not sure that that is what is needed. I was thinking of something like this: host all joe@nobody 192.168.151.75/32 password host all all 192.168.151.75/32 ident The "all@nobody" field is meant to specify that the remote user is nobody but that they are connecting as user joe. You would be able to use "all" as well. You don't even need to do an ident check unless the auth method is "trust" which would be silly anyway. In fact "password" is the only method that even makes any sense at all. -- D'Arcy J.M. Cain <darcy@xxxxxxxxx> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 788 2246 (DoD#0082) (eNTP) | what's for dinner. IM: darcy@xxxxxxx, VoIP: sip:darcy@xxxxxxxxx -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general