Re: password rules
Gilles Darold <gilles@darold.net>
From: Gilles Darold <gilles@darold.net>
To: raphi <raphi@crashdump.ch>, pgsql-general@lists.postgresql.org
Date: 2025-06-24T12:28:41Z
Lists: pgsql-general
Le 24/06/2025 à 07:18, raphi a écrit : > > > Am 23.06.2025 um 22:39 schrieb Christoph Berg: >> Re: raphi >>> Sorry for this rather long (first) email on this list but I feel >>> like I had >>> to explain our usecase and why LDAP is not always as simple as >>> adding a line >>> to hba.conf. >> Did you give the "pam" method a try? T > Not really because it's a local solution. How do you change passwords > or keep history on your standby nodes? Besides, the documentation says > that postgres can't handle /etc/shadow because it runs unprivileged, > only pam_ldap would work. Or am I missing something? > > have fun, > raphi I think the credcheck extension has been created to handle the features you are requesting. > - enforce some password complexity and prevent reuse This is already implemented. > - expire a password immediately after creating and prompt the user to change it upon first login try. They can connect with the initial > password but cannot login until they've set a new password. I have started to work some weeks ago and it just need more time to end/polish the job. > the password history is not being replicated to the standby so we can not use it. It is in my TODO list for a year as you noted and will try to implement it this summer. -- Gilles Darold