Greetings,
* James Cassell (fedoraproject@cyberpear.com) wrote:
> On Wed, Dec 18, 2019, at 11:58 PM, Craig Ringer wrote:
> > 'ident' doesn't work by default on any RPM disto.
> >
> > It's not clear why the initdb wrapper for the rpm packages defaults to
> > generating 'host' entries with 'ident' auth, but I think it's pretty
> > unhelpful. At least if we used 'md5' the user could set passwords and
> > have them actually work.
> >
> > initdbcmd="$PGENGINE/initdb --pgdata='$PGDATA' --auth='ident'"
> > initdbcmd+=" $PGSETUP_INITDB_OPTIONS"
> >
> > I know you can override it easily enough, but most people won't know to.
>
> For what it's worth, I am quite happy with the current default of ident.
>
> To make it work, you can install the `authd` package, then enable the `auth.socket` systemd service. I've made it
listenonly on localhost, and disabled the encryption part of authd because I didn't want to figure out how to give
postgresthe appropriate key.
>
> All-in-all, it makes for a seamless auth of local users/services to their own postgres databases running on
localhost. Last I checked, ident auth was only specified for the localhost addreses in pg_hba.conf. (RHEL 8 has marked
the"authd" package as deprecated without any explanation, though... it still works fine and is still present.)
Why in the world would you want that over just using peer..?
'host' with 'ident' should have been outright removed from PG, imv... I
actually thought it was but maybe it's only been deprecated.
Thanks,
Stephen