I was hoping I had misunderstood but ok.. :)On Wed, 7 Mar 2018 07:14:55 -0700
"David G. Johnston" <david.g.johnston@xxxxxxxxx> wrote:
> On Wed, Mar 7, 2018 at 6:13 AM, Bjørn T Johansen <btj@xxxxxxxxxx> wrote:
>
> > Hi.
> >
> > Is it possible to use one authentication method as default, like LDAP, and
> > if the user is not found, then try to authenticate using
> > md5/scram-sha-256 ?
> >
>
> In the "Client Authentication" Chapter:
>
> https://www.postgresql.org/docs/10/static/auth-pg-hba- conf.html
>
> """
> The first record with a matching connection type, client address,
> requested database, and user name is used to perform authentication. There
> is no “fall-through” or “backup”: if one record is chosen and the
> authentication fails, subsequent records are not considered. If no record
> matches, access is denied.
> """
>
In the specific case you describe here you could have the server poll the LDAP server periodically and cache the user names recognized and the leverage:
"Multiple user names can be supplied by separating them with commas. A separate file containing user names can be specified by preceding the file name with @."
In short, you have to pre-compute which method each user is allowed to access externally then provide that knowledge to PostgreSQL.
David J.