Thread

  1. Can we lock or expire a ROLE / USER

    Subramanian,Ramachandran <ramachandran.subramanian@alte-leipziger.de> — 2025-09-19T08:32:33Z

    Hello all,
    
    
       Absolute novice in Postgresql, coming from the Mainframe world.  Kindly forgive my ignorance.
    
    Is it possible to LOCK or DEACTIVATE or EXPIRE a USER ( ROLE with LOGIN ) after
    
    
      1.  A set period of inactivity
      2.  5 Wrong password attempts
    
    I searched through the manals and did not find any mention of such a facility.
    
    If it is not possible at the database level, can this be implemented in any other way?
    
    
    Regards
    
    Ram
    
    
    Freundliche Grüße
    
    i. A. Ramachandran Subramanian
    Zentralbereich Informationstechnologie
    
    Alte Leipziger Lebensversicherung a.G.
    
    
    Hallesche Krankenversicherung a.G.
    
    
    
    
    
    Alte Leipziger Lebensversicherung a.G., Alte Leipziger-Platz 1, 61440 Oberursel
    Vors. des Aufsichtsrats: Dr. Walter Botermann · Vorstand: Christoph Bohn (Vors.), Dr. Jürgen Bierbaum (stv. Vors.), Frank Kettnaker, Dr. Jochen Kriegmeier, Alexander Mayer, Wiltrud Pekarek, Udo Wilcsek
    Sitz Oberursel (Taunus) · Rechtsform VVaG · Amtsgericht Bad Homburg v. d. H. HRB 1583 · USt.-IdNr. DE 114106814
    
    
    
    
    
     
    Hallesche Krankenversicherung a.G.,  Löffelstraße 34-38, 70597 Stuttgart
    Vors. des Aufsichtsrats: Dr. Walter Botermann · Vorstand: Christoph Bohn (Vors.), Dr. Jürgen Bierbaum (stv. Vors.), Frank Kettnaker, Dr. Jochen Kriegmeier, Alexander Mayer, Wiltrud Pekarek, Udo Wilcsek
    Sitz Stuttgart · Rechtsform VVaG · Amtsgericht Stuttgart HRB 2686 · USt.-IdNr. DE 147802285
    Beiträge zu privaten Kranken- und Pflegekrankenversicherungen unterliegen nicht der Versicherungsteuer (§ 4 Nr. 5 VersStG) · Versicherungsleistungen sowie Umsätze aus Versicherungsvertreter-/Maklertätigkeiten sind umsatzsteuerfrei
     
    
    
    
     
    Die Pflichtangaben der ALH Gruppe gemäß § 35a GmbHG bzw. § 80 AktG finden Sie hier: https://www.alte-leipziger.de/impressum 
    
    
    
    
    
    ______________________
    
    ALH Gruppe
    Alte Leipziger-Platz 1, 61440 Oberursel
    Tel.: +49 (6171) 66-4882
    Fax: +49 (6171) 66-800-4882
    E-Mail: ramachandran.subramanian@alte-leipziger.de
    www.alte-leipziger.de
    www.hallesche.de
    
    
  2. Re: Can we lock or expire a ROLE / USER

    David G. Johnston <david.g.johnston@gmail.com> — 2025-09-19T13:57:28Z

    On Friday, September 19, 2025, Subramanian,Ramachandran <
    ramachandran.subramanian@alte-leipziger.de> wrote:
    
    > Is it possible to LOCK or DEACTIVATE or EXPIRE a USER ( ROLE with LOGIN )
    > after
    >
    >    1. A set period of inactivity
    >    2. 5 Wrong password attempts
    >
    > I searched through the manals and did not find any mention of such a
    > facility.
    >
    > And thus it does not exist, at least in core.  Not sure what is available
    in the world of extensions.
    
    Otherwise you’d want to log login events and you could then script a tool
    to alter role upon seeing relevant log activity.
    
    David J.
    
  3. Re: Can we lock or expire a ROLE / USER

    Laurenz Albe <laurenz.albe@cybertec.at> — 2025-09-19T15:55:16Z

    On Fri, 2025-09-19 at 08:32 +0000, Subramanian,Ramachandran wrote:
    >    Absolute novice in Postgresql, coming from the Mainframe world.  Kindly forgive my ignorance.
    >  
    > Is it possible to LOCK or DEACTIVATE or EXPIRE a USER ( ROLE with LOGIN ) after
    >  
    >    1. A set period of inactivity
    >    2. 5 Wrong password attempts
    >  
    > I searched through the manals and did not find any mention of such a facility.
    
    PostgreSQL doesn't offer support for these functionalities.
    It also does not allow you to enforce password complexity rules.
    
    > If it is not possible at the database level, can this be implemented in any other way?
    
    The way to do that is to authenticat database users using a central identity
    management system like Kerberos.  See the documentation for a list of supported
    authentication methods:
    https://www.postgresql.org/docs/current/client-authentication.html
    
    Yours,
    Laurenz Albe
    
    
    
    
  4. Re: Can we lock or expire a ROLE / USER

    TIM CHILD <tim.child@comcast.net> — 2025-09-19T16:34:13Z

    Ram,
     
    For PostgreSQL to implement features outlined below would be re-inventing the wheel as much of this feature  functional already exist in Directory Service security systems like Active Directory/LDAP.  Plus there are lots of good reasons that these types of security features be centrally located and administered rather than devolved into individual database instances and servers.
     
    To get some of the functionality I would point you to to Open LDAP directory service https://en.wikipedia.org/wiki/OpenLDAP.  PostgreSQL provides client integration with LDAP see https://www.postgresql.org/docs/current/auth-ldap.html
    However I will point out the LDAP implementations, integration and administration can be quite complex.
     
    -Tim
     
     
    
    > On 09/19/2025 1:32 AM PDT Subramanian,Ramachandran <ramachandran.subramanian@alte-leipziger.de> wrote:
    >  
    >  
    > 
    > Hello all,
    > 
    >  
    > 
    >  
    > 
    >    Absolute novice in Postgresql, coming from the Mainframe world.  Kindly forgive my ignorance.
    > 
    >  
    > 
    > Is it possible to LOCK or DEACTIVATE or EXPIRE a USER ( ROLE with LOGIN ) after
    > 
    >  
    > 
    > 1. A set period of inactivity
    > 2. 5 Wrong password attempts
    > 
    >  
    > 
    > I searched through the manals and did not find any mention of such a facility.
    > 
    >  
    > 
    > If it is not possible at the database level, can this be implemented in any other way?
    > 
    >  
    > 
    >  
    > 
    > Regards
    > 
    >  
    > 
    > Ram
    > 
    > 
    > Freundliche Grüße
    > 
    > i. A. Ramachandran Subramanian
    > Zentralbereich Informationstechnologie
    >  
    > Alte Leipziger Lebensversicherung a. G.
    > Hallesche Krankenversicherung a. G.
    > 
    >  
    > 
    >  
    > ______________________
    > 
    > ALH Gruppe
    > Alte Leipziger-Platz 1, 61440 Oberursel
    > Tel: +49 (6171) 66-4882
    > Fax: +49 (6171) 66-800-4882
    > E-Mail: ramachandran.subramanian@alte-leipziger.de
    > www.alte-leipziger.de https://www.alte-leipziger.de
    > www.hallesche.de https://www.hallesche.de
    > 
    > Alte Leipziger Lebensversicherung a. G., Alte Leipziger-Platz 1, 61440 Oberursel
    > Vors. des Aufsichtsrats: Dr. Walter Botermann · Vorstand: Christoph Bohn (Vors.), Dr. Jürgen Bierbaum (stv. Vors.), Frank Kettnaker, Dr. Jochen Kriegmeier, Alexander Mayer, Wiltrud Pekarek, Udo Wilcsek
    > Sitz Oberursel (Taunus) · Rechtsform VVaG · Amtsgericht Bad Homburg v. d. H. HRB 1583 · USt.-IdNr. DE 114106814
    > 
    > Hallesche Krankenversicherung a. G., Löffelstraße 34-38, 70597 Stuttgart
    > Vors. des Aufsichtsrats: Dr. Walter Botermann · Vorstand: Christoph Bohn (Vors.), Dr. Jürgen Bierbaum (stv. Vors.), Frank Kettnaker, Dr. Jochen Kriegmeier, Alexander Mayer, Wiltrud Pekarek, Udo Wilcsek
    > Sitz Stuttgart · Rechtsform VVaG · Amtsgericht Stuttgart HRB 2686 · USt.-IdNr. DE 147802285
    > Beiträge zu privaten Kranken- und Pflegekrankenversicherungen unterliegen nicht der Versicherungsteuer (§ 4 (1) Nr. 5 b VersStG) · Versicherungsleistungen sowie Umsätze aus Versicherungsvertreter-/Maklertätigkeiten sind umsatzsteuerfrei
    > 
    > Pflichtangaben https://www.alte-leipziger.de/impressum der ALH Gruppe gemäß § 35a GmbHG bzw. § 80 AktG
    >