Re: password rules

Gilles Darold <gilles@darold.net>

From: Gilles Darold <gilles@darold.net>
To: raphi <raphi@crashdump.ch>, pgsql-general@lists.postgresql.org
Date: 2025-06-24T12:28:41Z
Lists: pgsql-general
Le 24/06/2025 à 07:18, raphi a écrit :
>
>
> Am 23.06.2025 um 22:39 schrieb Christoph Berg:
>> Re: raphi
>>> Sorry for this rather long (first) email on this list but I feel 
>>> like I had
>>> to explain our usecase and why LDAP is not always as simple as 
>>> adding a line
>>> to hba.conf.
>> Did you give the "pam" method a try? T
> Not really because it's a local solution. How do you change passwords 
> or keep history on your standby nodes? Besides, the documentation says 
> that postgres can't handle /etc/shadow because it runs unprivileged, 
> only pam_ldap would work. Or am I missing something?
>
> have fun,
> raphi


I think the credcheck extension has been created to handle the features 
you are requesting.

 > - enforce some password complexity and prevent reuse

This is already implemented.

 > - expire a password immediately after creating and prompt the user to 
change it upon first login try. They can connect with the initial
 > password but cannot login until they've set a new password.

I have started to work some weeks ago and it just need more time to 
end/polish the job.

 > the password history is not being replicated to the standby so we can 
not use it.

It is in my TODO list for a year as you noted and will try to implement 
it this summer.

-- 
Gilles Darold