attacks.

</para>

<para>

The <literal>md5</literal> method cannot be used with

the <xref linkend="guc-db-user-namespace"/> feature.

</para>

<para>

To ease transition from the <literal>md5</literal> method to the newer

SCRAM method, if <literal>md5</literal> is specified as a method

</para>

</listitem>

</varlistentry>

<varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">

<term><varname>db_user_namespace</varname> (<type>boolean</type>)

<indexterm>

<primary><varname>db_user_namespace</varname> configuration parameter</primary>

</indexterm>

</term>

<listitem>

<para>

This parameter enables per-database user names. It is off by default.

This parameter can only be set in the <filename>postgresql.conf</filename>

file or on the server command line.

</para>

<para>

If this is on, you should create users as <replaceable>username@dbname</replaceable>.

When <replaceable>username</replaceable> is passed by a connecting client,

<literal>@</literal> and the database name are appended to the user

name and that database-specific user name is looked up by the

server. Note that when you create users with names containing

<literal>@</literal> within the SQL environment, you will need to

quote the user name.

</para>

<para>

With this parameter enabled, you can still create ordinary global

users. Simply append <literal>@</literal> when specifying the user

name in the client, e.g., <literal>joe@</literal>. The <literal>@</literal>

will be stripped off before the user name is looked up by the

server.

</para>

<para>

<varname>db_user_namespace</varname> causes the client's and

server's user name representation to differ.

Authentication checks are always done with the server's user name

so authentication methods must be configured for the

server's user name, not the client's. Because

<literal>md5</literal> uses the user name as salt on both the

client and server, <literal>md5</literal> cannot be used with

<varname>db_user_namespace</varname>.

</para>

<note>

<para>

This feature is intended as a temporary measure until a

complete solution is found. At that time, this option will

be removed.

</para>

</note>

</listitem>

</varlistentry>

</variablelist>

</sect2>

char*passwd;

intresult;

if (Db_user_namespace)

ereport(FATAL,

(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),

errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));

if (!pg_strong_random(md5Salt,4))

{

elseif (strcmp(token->string, "reject")==0)

parsedline->auth_method=uaReject;

elseif (strcmp(token->string, "md5")==0)

{

if (Db_user_namespace)

{

ereport(elevel,

(errcode(ERRCODE_CONFIG_FILE_ERROR),

errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),

errcontext("line %d of configuration file \"%s\"",

line_num,file_name)));

*err_msg="MD5 authentication is not supported when \"db_user_namespace\" is enabled";

returnNULL;

}

parsedline->auth_method=uaMD5;

}

elseif (strcmp(token->string, "scram-sha-256")==0)

parsedline->auth_method=uaSCRAM;

elseif (strcmp(token->string, "pam")==0)

boollog_hostname;/* for ps display and logging */

boolLog_connections= false;

boolDb_user_namespace= false;

boolenable_bonjour= false;

char*bonjour_name;

if (port->database_name==NULL||port->database_name[0]=='\0')

port->database_name=pstrdup(port->user_name);

if (Db_user_namespace)

{

if (strchr(port->user_name,'@')==

port->user_name+strlen(port->user_name)-1)

*strchr(port->user_name,'@')='\0';

{

port->user_name=psprintf("%s@%s",port->user_name,port->database_name);

}

}

if (am_walsender)

MyBackendType=B_WAL_SENDER;

false,

NULL,NULL,NULL

},

{

{"db_user_namespace",PGC_SIGHUP,CONN_AUTH_AUTH,

gettext_noop("Enables per-database user names."),

},

&Db_user_namespace,

false,

NULL,NULL,NULL

},

{

{"default_transaction_read_only",PGC_USERSET,CLIENT_CONN_STATEMENT,

gettext_noop("Sets the default read-only status of new transactions."),

#authentication_timeout = 1min# 1s-600s

#password_encryption = scram-sha-256# scram-sha-256 or md5

#scram_iterations = 4096

#db_user_namespace = off

# GSSAPI using Kerberos

#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'

typedefuint32PacketLen;

externPGDLLIMPORTboolDb_user_namespace;