Multiples authentication methods for Postgresql

I presently use "md5" authentication for access from the lan:

host all all 192.168.1.0/24 md5

I want to add ldap authentication method, so I added this line before:

host all all 192.168.1.0/24 ldap "ldap://192.168.1.2/basedn;uid=;,cn=xx,dc=yy,dc=zz,dc=ca"

This work great with ldap accounts, but if I try to login with an account not present on the LDAP server, the login fails (postgresql doesn't try the md5 authentication).

There is a way to support more than one authentication method with postgresql?


Solution 1:

No -- Since the pg_hba.conf records are examined sequentially for each connection attempt, the order of the records is significant. -- In other words "First match is the method I'm going to use".
You would have to explicitly list all the local (md5) accounts before proceeding to the "all users" LDAP authentication in order for this to work (and that starts to get hairy with maintaining the pg_hba.conf file).

As a workaround you can use the pam authentication method, and configure PAM's "postgres" service to use whatever methods you wish (including falling back to alternate methods), but this limits you to whatever PAM modules are installed/configured on your system.
(For suitably broad definitions of "limits" -- e.g. you could use one-time passwords for Postgres accounts if you use PAM as the authentication method).