On Thu, 27 Jan 2005, Victor Danilchenko wrote:
> Hi,
>
> I am trying to set up a database server with multiple DB
>clusters, so that in each cluster a number of users have their own
>database each, with passwordless access (we can trust the network
>security in our installation). The following is what seems like it
>*should* work:
>
>host all all 127.0.0.1 255.255.255.255 password
>host sameuser all xxx.xxx.xxx.0 255.255.255.128 ident sameuser
>host all @fac xxx.xxx.xxx.0 255.255.255.128 trust
>
> The second line ("host sameuser") is the problem. It doesn't
>work -- when tryign to connect, I keep getting error messages:
>
>$ whoami
>testuser
>$ psql -h db-edlab -p 7666 testuser testuser
>psql: FATAL: IDENT authentication failed for user "testuser"
I forgot to mention that yes, I do have identd daemon running on
the connecting system -- from the RHL pidentd RPM.
> If I replace 'ident sameuser' with 'trust' there, it works fine
>-- but then any user can access anyone else's database, providing they
>request the same password.
>
> The idea is that each user should be able to access only their
>database, only as themselves, without password -- but I can't figure out
>what I am doing wrong. Any help? if what I am trying to do is
>impossible, is there any other way to achieve such a goal -- i.e.
>passwordless access that allows each user to access only their own
>database over the network?
>
>
> BTW, as long as I am writing, a somewhat related question, which
>is not nearly as important as the previous one.
>
> I launch multiple postmatser processes, each servicing a
>dedicated DB cluster on a dedicated port. The problem is that I only
>ever see *one* local UNIX socket (/tmp/.s.PGSQL.<portnumber>) file.
>There is a .lock file created corresponding to each server/port combo,
>but it looks like each subsequent instance of the postmaster kills the
>previous instance's UNIX socket. Is this how it should be -- and if so,
>are there any pg_ctl options I can pass in to make it simply not create
>the UNIX sockets altogether, so that only network operations are
>supported? AT the moment, I am doing admin access though the loopback
>device, so it's not a big issue.
>
>
--
| Victor Danilchenko +------------------------------------+
| danilche@cs.umass.edu | I don't have to outrun the bear -- |
| CSCF | 5-4231 | I just have to outrun YOU! |