Provide more detail in postmaster log for password authentication failures.

tglsfdc · tglsfdc · commit 5e0b5dcab685 · 2016-01-07T11:19:33.000-05:00
We tell people to examine the postmaster log if they're unsure why they are getting auth failures, but actually only a few relatively-uncommon failure cases were given their own log detail messages in commit 64e43c5. Expand on that so that every failure case detected within md5_crypt_verify gets a specific log detail message. This should cover pretty much every ordinary password auth failure cause. So far I've not noticed user demand for a similar level of auth detail for the other auth methods, but sooner or later somebody might want to work on them. This is not that patch, though.
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
@@ -50,7 +50,11 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
 	/* Get role info from pg_authid */
 	roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
 	if (!HeapTupleIsValid(roleTup))
+	{
+		*logdetail = psprintf(_("Role \"%s\" does not exist."),
+							  role);
 		return STATUS_ERROR;	/* no such user */
+	}
 
 	datum = SysCacheGetAttr(AUTHNAME, roleTup,
 							Anum_pg_authid_rolpassword, &isnull);
@@ -71,13 +75,20 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
 	ReleaseSysCache(roleTup);
 
 	if (*shadow_pass == '\0')
+	{
+		*logdetail = psprintf(_("User \"%s\" has an empty password."),
+							  role);
 		return STATUS_ERROR;	/* empty password */
+	}
 
 	CHECK_FOR_INTERRUPTS();
 
 	/*
 	 * Compare with the encrypted or plain password depending on the
-	 * authentication method being used for this connection.
+	 * authentication method being used for this connection.  (We do not
+	 * bother setting logdetail for pg_md5_encrypt failure: the only possible
+	 * error is out-of-memory, which is unlikely, and if it did happen adding
+	 * a psprintf call would only make things worse.)
 	 */
 	switch (port->hba->auth_method)
 	{
@@ -154,6 +165,9 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
 		else
 			retval = STATUS_OK;
 	}
+	else
+		*logdetail = psprintf(_("Password does not match for user \"%s\"."),
+							  role);
 
 	if (port->hba->auth_method == uaMD5)
 		pfree(crypt_pwd);
