Обсуждение: How to setup PostgreSQL to work with libpam-pgsql/libnss-pgsql2?

Hello,

I am new to Linux and setup 6 Computers with Debian:

1) 2 Workstations
2) 2 Intranet Servers
3) PostgreSQL Server
4) Router

The two Intranet Servers are now working with NFSv4/TCP, Apache2 with suphp and php5, courier-imap/mta/mlm

My Router is working to and use IPT, bind9 and apache2 with mod_proxy forwarding traffic to the two Intranet Servers.

Also the Workstations are working fine.

Now I like to switch with the authentification to libpam-pgsql/libnss-pgsql2 but I hit a problem with the PostgreSQL,
becauseit refuse any connections from the network.
 

I have setup in the postgresql.conf

listen_addresses = '192.168.0.3'

and in the pg_hba.conf

local   all     postgres                        ident sameuser
host    system  root            192.168.0.0/24  md5

now restarted postgresql and  "system" with the psql commandline tool.  Then imported the SQL Scheme from
libpam-pgsql.

OK, now on a workstation I installed libpam-pgsql and libnss-pgsql2 leave a terminal open to revert  the PAM/NSS files
ifsomething goes wrong and setup the files
 

/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password

to use the PostgreSQL database and now I was XXXX!  nothing is working anymore.  I can not even connect to the
PostgreSQLserver.
 

Can someone tell me please, how to setup PostgreSQL so I can use it with libpam-pgsql and libnss-pgsql2?

Thanks
PCMOS




freenetMail mobil – Alle E-Mails auf Ihrem Handy versenden und empfangen.
Jetzt kinderleicht und kostenlos einrichten. http://tls.freenet.de/tipp/handymail/index.html

OK, now I can connect to the PostgreSQL Server but it is weird...

> -----Ursprüngliche Nachricht-----
> and in the pg_hba.conf
> local   all     postgres                        ident sameuser
> host    system  root            192.168.0.0/24  md5

I can not use "root" as the owner of the database...

Now I have created a user named "system" and changed from "root" to "system" is now working

Can someone tell me the command line, how to restrict the access to DB "system" to user "system" only?

Thanks

-- 




Exklusiv: Neue E-Mail-Adresse @iPhone.de jetzt verfügbar!
Sichern Sie sich jetzt ihre persönliche http://www.iphone.de/iphonemail/index.html?pid=10111947021

On 25/08/2010 3:02 AM, PMC OS wrote:
> I am new to Linux

[snip]

> Now I like to switch with the authentification to libpam-pgsql/libnss-pgsql2

Honestly, in most cases you'll be much better off managing
authentication with LDAP. It's a better design for the nature of
authentication and user data management, where it has to handle lots of
small read queries and only very rare writes. It also has better
replication.

Even if you're not using Samba, the smbldap-tools provide handy commands
to manage users in the LDAP directory, and the debian ldap-auth-client
package provides a convenient way to configure a client to authenticate
against the directory.

Initial setup takes a little learning, but is well worth it.

If you later find that you need to store user data in a relational
database for some reason, you can even configure slapd to use the
database as a backend, so you're using PostgreSQL behind the scenes but
your clients still talk LDAP. I've never found the need, though; I run
the network at the business I'm sysadmin at with pure LDAP
authentication (slapd, berkely db backend) quite happily.

> to use the PostgreSQL database and now I was XXXX!  nothing is working anymore.  I can not even connect to the
PostgreSQLserver. 

Even via "psql -h 192.168.0.3" ?

Can you ping it?

If you run "ps aux | grep postgres" on the server, are there any
postgresql processes running?

If you run "psql" on the server, can it connect? If not, what's the
error message?

If you look at /var/log/postgresql on the server, what are the last few
lines in the logs?

--
Craig Ringer

Good morning,

> -----Ursprüngliche Nachricht-----
> Von: Craig Ringer 
> Honestly, in most cases you'll be much better off managing
> authentication with LDAP. It's a better design for the nature of
> authentication and user data management, where it has to handle lots
> of
> small read queries and only very rare writes. It also has better
> replication.

We are only 20 persones in total and do not have the need to handel several 100 or 1000 requests in a short time

Also since we do much more with the database we need it anyway and LDAP would get its data from PostgreSQL... because I
donot like to maintain two systems at once which can do the same job.
 

Have now installed slapd on my OMAP L138 but now it has crashed the kernel and I cna not more boot the server because
itwant o init slapd and crash.
 

> Even if you're not using Samba, the smbldap-tools provide handy
> commands
> to manage users in the LDAP directory, 

How does this manage the user accountts and there homes?
It does not seem to create $HOME and copy the files from /etc/skel which I have already prepared...

> and the debian
> ldap-auth-client
> package provides a convenient way to configure a client to
> authenticate
> against the directory.

I have not found this package 

apt-cache show ldap-auth-client
W: Kann Paket ldap-auth-client nicht finden
E: Keine Pakete gefunden

> Even via "psql -h 192.168.0.3" ?

Now it works...  (see other mail)  I was not able to conenct as "root" and had to create an other user "system" and now
Ican connect
 

Have a nice day




Exklusiv: Neue E-Mail-Adresse @iPhone.de jetzt verfügbar!
Sichern Sie sich jetzt ihre persönliche http://www.iphone.de/iphonemail/index.html?pid=10111947021

On 25/08/10 14:18, PMC OS wrote:
> Good morning,
>
>> -----Ursprüngliche Nachricht-----
>> Von: Craig Ringer
>> Honestly, in most cases you'll be much better off managing
>> authentication with LDAP. It's a better design for the nature of
>> authentication and user data management, where it has to handle lots
>> of
>> small read queries and only very rare writes. It also has better
>> replication.
>
> We are only 20 persones in total and do not have the need to handel several 100 or 1000 requests in a short time
>
> Also since we do much more with the database we need it anyway and LDAP would get its data from PostgreSQL... because
Ido not like to maintain two systems at once which can do the same job. 

Well, fair enough then. Personally with that many people I'd certainly
want to use LDAP (for lower response latencies if nothing else), but
each to their own.

You'll probably want to use nscd on the client machine(s) to take some
of the load off Pg.

> Have now installed slapd on my OMAP L138 but now it has crashed the kernel and I cna not more boot the server because
itwant o init slapd and crash. 

That's ... surprising.

Kernel panic? Or is it just that slapd is crashing?

> How does this manage the user accountts and there homes?
> It does not seem to create $HOME and copy the files from /etc/skel which I have already prepared...

Most likely the same way you'll be doing it with pam auth against
postgresql: pam_mkhomedir . It has a decent man page.

> I have not found this package
>
> apt-cache show ldap-auth-client
> W: Kann Paket ldap-auth-client nicht finden
> E: Keine Pakete gefunden

My bad. Looks like it's an Ubuntu extension, just a metapackage that
pulls in libnss-ldap and libpam-ldap and provides a bit of config
support for them.

--
Craig Ringer

Tech-related writing: http://soapyfrogs.blogspot.com/

Good evening,

> -----Ursprüngliche Nachricht-----
> Von: Craig Ringer 
> > 
> > Have now installed slapd on my OMAP L138 but now it has crashed the
> > kernel and I cna not more boot the server because it want o init
> > slapd and crash.
> That's ... surprising.
> Kernel panic? Or is it just that slapd is crashing?

First PostgreSQL is started and then it try to start slapd and the whole system panics.  I have the problem with
severalprograms which want run on ARMEL architecture even if there are compiled for it.
 

I use the Debian standard  distribution Lenny and Squeeze but I am ongoing to recompile the whole system  for  EmDebian
ifmy Shiva-Plug
 

> > apt-cache show ldap-auth-client
> > W: Kann Paket ldap-auth-client nicht finden
> > E: Keine Pakete gefunden
> My bad. Looks like it's an Ubuntu extension, just a metapackage that
> pulls in libnss-ldap and libpam-ldap and provides a bit of config
> support for them.

:-/

Greetings




freenetMail mobil – Alle E-Mails auf Ihrem Handy versenden und empfangen.
Jetzt kinderleicht und kostenlos einrichten. http://tls.freenet.de/tipp/handymail/index.html