Обсуждение: ident authentication with named localhost

Поиск
Список
Период
Сортировка

ident authentication with named localhost

От
David Link
Дата:
Hi,

I am having trouble with ident authentication.  Everything is working
fine except when specifying host for connections on the local machine.

pg_hba.conf:

local   all     all                               ident wp
host    all     all     10.97.8.0/24              ident wp

pg_ident.conf:

wp      dlink           dlink
wp      dlink           firstalert
wp      dlink           postgres
wp      dlink           video
wp      postgres        postgres
wp      wwwrun          firstalert
wp      wwwrun          video

If the db is on mach1 and the Unix user is dlink the following works

dlink@mach1$ psql -d mydb -U postgres
dlink@mach2$ psql -d mydb -U postgres -h mach1 # from remote machine

While the following does not: (nor with perl DBI)

dlink@mach1$ psql -d mydb -U postgres -h mach1
dlink@mach1$ psql -d mydb -U postgres -h localhost
dlink@mach1$ psql -d mydb -U postgres -h 10.97.8.244
dlink@mach1$ psql -d mydb -U postgres -h 127.0.0.1

If I add the following to pg_hba.conf it works of course:

host    all     all     10.97.8.244/32            trust

But this does not:

host    all     all     10.97.8.244/32            ident wp.

If I try as the postgres Unix user then it works:

postgres@mach1$ psql -d mydb -U postgres -h mach1

We are using:
SUSE 9 / Linux 2.6.5-7
Postgresql 8.1
And LDAP.

The problem might be due to how identd works on localhost with LDAP.
The postgres user is found in /etc/passwd, while the dlink user is not.

Incidentally, get this, on a second machine (with same software) what's
described here as not working, works intermittently.  Now it worked.
Now it didn't.  For dlink user.  Weird.

Does anyone know how I can test ident? I can telnet 10.97.8.244 113.
The server port I know is 5432, but what's the client port to give?

Any and all help greatly appreciated.
Thanks.
David Link

Re: ident authentication with named localhost

От
Tom Lane
Дата:
David Link <dlink@soundscan.com> writes:
> Does anyone know how I can test ident?

I'd try sniffing the IP traffic to and from it with a packet sniffer
and/or tracing the daemon's system calls with strace.  Manually invoking
the daemon isn't going to prove a lot, you want to watch its reaction
to Postgres.

I believe some flavors of identd have debug tracing options, too
... check the man page ...

            regards, tom lane

Re: ident authentication with named localhost

От
David Link
Дата:
Tom Lane wrote:
> David Link <dlink@soundscan.com> writes:
>
>> Does anyone know how I can test ident?
>>
>
> I'd try sniffing the IP traffic to and from it with a packet sniffer
> and/or tracing the daemon's system calls with strace.  Manually invoking
> the daemon isn't going to prove a lot, you want to watch its reaction
> to Postgres.
>
Thanks for your suggestion.  I'm new to the concept of packet sniffing
and tracing.  Can you suggest where I should go or what I should read to
better understand this?
> I believe some flavors of identd have debug tracing options, too
> ... check the man page ...
>
Too bad no one else has reported this and already found an answer.
Maybe I should move to md5 authentication, however I wanted to avoid
having to type passwords.

Thanks,

Re: ident authentication with named localhost

От
Tom Lane
Дата:
David Link <dlink@soundscan.com> writes:
> Thanks for your suggestion.  I'm new to the concept of packet sniffing
> and tracing.  Can you suggest where I should go or what I should read to
> better understand this?

"man strace" ... strace is probably easier to use for this purpose than
a packet sniffer, and it'll generate a more complete view of what the
daemon is doing, too.

            regards, tom lane