Provide more detail in postmaster log for password authentication failures.

We tell people to examine the postmaster log if they're unsure why they are
getting auth failures, but actually only a few relatively-uncommon failure
cases were given their own log detail messages in commit 64e43c59b817a78d.
Expand on that so that every failure case detected within md5_crypt_verify
gets a specific log detail message.  This should cover pretty much every
ordinary password auth failure cause.

So far I've not noticed user demand for a similar level of auth detail
for the other auth methods, but sooner or later somebody might want to
work on them.  This is not that patch, though.

diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index 825e6510b494e380a9722d521e82ded14c9709d3..f3c59e530362b09756dac6157b5c3445a19ef325 100644 (file)
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -50,7 +50,11 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
    /* Get role info from pg_authid */
    roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
    if (!HeapTupleIsValid(roleTup))
+   {
+       *logdetail = psprintf(_("Role \"%s\" does not exist."),
+                             role);
        return STATUS_ERROR;    /* no such user */
+   }
 
    datum = SysCacheGetAttr(AUTHNAME, roleTup,
                            Anum_pg_authid_rolpassword, &isnull);
@@ -71,13 +75,20 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
    ReleaseSysCache(roleTup);
 
    if (*shadow_pass == '\0')
+   {
+       *logdetail = psprintf(_("User \"%s\" has an empty password."),
+                             role);
        return STATUS_ERROR;    /* empty password */
+   }
 
    CHECK_FOR_INTERRUPTS();
 
    /*
     * Compare with the encrypted or plain password depending on the
-    * authentication method being used for this connection.
+    * authentication method being used for this connection.  (We do not
+    * bother setting logdetail for pg_md5_encrypt failure: the only possible
+    * error is out-of-memory, which is unlikely, and if it did happen adding
+    * a psprintf call would only make things worse.)
     */
    switch (port->hba->auth_method)
    {
@@ -154,6 +165,9 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
        else
            retval = STATUS_OK;
    }
+   else
+       *logdetail = psprintf(_("Password does not match for user \"%s\"."),
+                             role);
 
    if (port->hba->auth_method == uaMD5)
        pfree(crypt_pwd);