Provide more detail in postmaster log for password authentication failures.

We tell people to examine the postmaster log if they're unsure why they are
getting auth failures, but actually only a few relatively-uncommon failure
cases were given their own log detail messages in commit 64e43c59b817a78d.
Expand on that so that every failure case detected within md5_crypt_verify
gets a specific log detail message.  This should cover pretty much every
ordinary password auth failure cause.

So far I've not noticed user demand for a similar level of auth detail
for the other auth methods, but sooner or later somebody might want to
work on them.  This is not that patch, though.

diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index 825e6510b494e380a9722d521e82ded14c9709d3..f3c59e530362b09756dac6157b5c3445a19ef325 100644 (file)
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -50,7 +50,11 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
        /* Get role info from pg_authid */
        roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
        if (!HeapTupleIsValid(roleTup))
+       {
+               *logdetail = psprintf(_("Role \"%s\" does not exist."),
+                                                         role);
                return STATUS_ERROR;    /* no such user */
+       }
 
        datum = SysCacheGetAttr(AUTHNAME, roleTup,
                                                        Anum_pg_authid_rolpassword, &isnull);
@@ -71,13 +75,20 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
        ReleaseSysCache(roleTup);
 
        if (*shadow_pass == '\0')
+       {
+               *logdetail = psprintf(_("User \"%s\" has an empty password."),
+                                                         role);
                return STATUS_ERROR;    /* empty password */
+       }
 
        CHECK_FOR_INTERRUPTS();
 
        /*
         * Compare with the encrypted or plain password depending on the
-        * authentication method being used for this connection.
+        * authentication method being used for this connection.  (We do not
+        * bother setting logdetail for pg_md5_encrypt failure: the only possible
+        * error is out-of-memory, which is unlikely, and if it did happen adding
+        * a psprintf call would only make things worse.)
         */
        switch (port->hba->auth_method)
        {
@@ -154,6 +165,9 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
                else
                        retval = STATUS_OK;
        }
+       else
+               *logdetail = psprintf(_("Password does not match for user \"%s\"."),
+                                                         role);
 
        if (port->hba->auth_method == uaMD5)
                pfree(crypt_pwd);