Обсуждение: Adding line to pg_hba.conf for a specific group makes superuser authentication fail in 9.0?
Hi Guys, I'm having what's hopefully a fairly trivial issue here with pg_hba.conf in 9.0.4; when I add in the following line host all +ad_users 10.10.0.0/16 ldap <ldap details> If I try to log in with a superuser account from the 10.10.0.0/16 network it appears to try to authenticate it against thatentry via ldap. This didn't happen in 8.4.8, what could I be missing? Thanks Glyn
Glyn Astill <glynastill@yahoo.co.uk> writes: > I'm having what's hopefully a fairly trivial issue here with pg_hba.conf in 9.0.4; when I add in the following line > ������� host all +ad_users 10.10.0.0/16 ldap <ldap details> > If I try to log in with a superuser account from the 10.10.0.0/16 network it appears to try to authenticate it againstthat entry via ldap. > This didn't happen in 8.4.8, what could I be missing? Well, a superuser is automatically considered a member of any group, so a match to that line would be expected IMO. If you don't want that, you need some more-specific line ahead of it to catch superusers. regards, tom lane
> From: Tom Lane <tgl@sss.pgh.pa.us> >G lyn Astill <glynastill@yahoo.co.uk> writes: >> I'm having what's hopefully a fairly trivial issue here with > pg_hba.conf in 9.0.4; when I add in the following line > >> host all +ad_users 10.10.0.0/16 ldap <ldap > details> > >> If I try to log in with a superuser account from the 10.10.0.0/16 network > it appears to try to authenticate it against that entry via ldap. > >> This didn't happen in 8.4.8, what could I be missing? > > Well, a superuser is automatically considered a member of any group, > so a match to that line would be expected IMO. If you don't want that, > you need some more-specific line ahead of it to catch superusers. > > regards, tom lane > Well that's all new to me, surely this is a bug? How can I specifically catch superusers?
Re: Adding line to pg_hba.conf for a specific group makes superuser authentication fail in 9.0?
От
"Kevin Grittner"
Дата:
Glyn Astill <glynastill@yahoo.co.uk> wrote: > How can I specifically catch superusers? Create a group (nobody?) that you don't grant to any users. Only superusers will be a member of it. -Kevin
> From: Kevin Grittner <Kevin.Grittner@wicourts.gov> >Glyn Astill <glynastill@yahoo.co.uk> wrote: > >> How can I specifically catch superusers? > > Create a group (nobody?) that you don't grant to any users. Only > superusers will be a member of it. > Ah of course, simple, thanks Kevin. I can't help but feel that there should be something in the docs for 9.0 to specify this, since it is a behaviour differencefrom 8.4 and earlier. The docs (http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html) do say: "Recall that there is no real distinction between users and groups in PostgreSQL; a + mark really means "match anyof the roles that are directly or indirectly members of this role", while a name without a + mark matches onlythat specific role" Maybe the docs should be embellished to also say "since a superuser is automatically considered a member of any group, itshould be taken into account that names with a + mark will affect all superusers (although this was not the case priorto 9.0)" or something along those lines. Glyn
Re: Adding line to pg_hba.conf for a specific group makes superuser authentication fail in 9.0?
От
"Kevin Grittner"
Дата:
Glyn Astill <glynastill@yahoo.co.uk> wrote: > Maybe the docs should be embellished to also say "since a > superuser is automatically considered a member of any group, it > should be taken into account that names with a + mark will affect > all superusers (although this was not the case prior to 9.0)" or > something along those lines. That seems like a good idea to me. I can't help but think that someone, somewhere is going to create a "suspended" role to assign to logins which they want temporarily disabled, put that at the top of pg_hba.conf, and not be amused by the results. When I dig out from under some other issues, I'll put together a docs patch to propose something like the above, if nobody beats me to it. -Kevin