Обсуждение: Bug in user pg_ident.conf mapping code?
Hey, So, I've gotten this on 9.3.4 after having a complaint from a user with a hyphen in his name, but I dug further. This is at the top of my pg_hba.conf file: local all all peer map=local And this is my pg_ident.conf: local dude-guy dudeguy local /(.*)$ \1 I've reloaded configs, and even went as far as to restart the database. Yet the errors I get in the logs say this: 2014-04-02 10:39:59 CDT|LOG: no match in usermap "local" for user "dude-guy" authenticated as "dude-guy" 2014-04-02 10:39:59 CDT|FATAL: Peer authentication failed for user "dude-guy" 2014-04-02 10:39:59 CDT|DETAIL: Connection matched pg_hba.conf line 84: "local all all peer map=local" What's going on, here? Shouldn't it be checking for peer auth before applying the mapping? Am I missing something? -- Shaun Thomas OptionsHouse | 141 W. Jackson Blvd. | Suite 500 | Chicago IL, 60604 312-676-8870 sthomas@optionshouse.com ______________________________________________ See http://www.peak6.com/email_disclaimer/ for terms and conditions related to this email
On 04/02/2014 10:01 AM, Shaun Thomas wrote: > Hey, > > So, I've gotten this on 9.3.4 after having a complaint from a user with > a hyphen in his name, but I dug further. > > This is at the top of my pg_hba.conf file: > > local all all peer map=local > > And this is my pg_ident.conf: > > local dude-guy dudeguy > local /(.*)$ \1 > > I've reloaded configs, and even went as far as to restart the database. > Yet the errors I get in the logs say this: > > 2014-04-02 10:39:59 CDT|LOG: no match in usermap "local" for user > "dude-guy" authenticated as "dude-guy" > 2014-04-02 10:39:59 CDT|FATAL: Peer authentication failed for user > "dude-guy" > 2014-04-02 10:39:59 CDT|DETAIL: Connection matched pg_hba.conf line 84: > "local all all peer map=local" > > What's going on, here? Shouldn't it be checking for peer auth before > applying the mapping? Am I missing something? Who are you connecting as dude-guy or dudeguy? Looks to me like: psql -d some_db -U dude-guy From here: http://www.postgresql.org/docs/9.3/interactive/auth-username-maps.html Example 19.2 If I am following you are restricting dude-guy to logging in as dudeguy. > -- Adrian Klaver adrian.klaver@aklaver.com
On 04/02/2014 03:27 PM, Adrian Klaver wrote: > Who are you connecting as dude-guy or dudeguy? > > Looks to me like: > > psql -d some_db -U dude-guy You are correct. I was assuming the translation went system -> PostgreSQL, not the other way around. Like, by setting -U dude-guy, PostgreSQL checked peer auth, then applied the mapping to find and apply the database username. Not sure why I had it backwards, but thanks. :) -- Shaun Thomas OptionsHouse | 141 W. Jackson Blvd. | Suite 500 | Chicago IL, 60604 312-676-8870 sthomas@optionshouse.com ______________________________________________ See http://www.peak6.com/email_disclaimer/ for terms and conditions related to this email
On 04/02/2014 01:35 PM, Shaun Thomas wrote: > On 04/02/2014 03:27 PM, Adrian Klaver wrote: > >> Who are you connecting as dude-guy or dudeguy? >> >> Looks to me like: >> >> psql -d some_db -U dude-guy > > You are correct. I was assuming the translation went system -> > PostgreSQL, not the other way around. Like, by setting -U dude-guy, > PostgreSQL checked peer auth, then applied the mapping to find and apply > the database username. > > Not sure why I had it backwards, but thanks. :) FYI this works: postgres@test=# CREATE ROLE dude_guy; CREATE ROLE If you want a sort of hyphen. > -- Adrian Klaver adrian.klaver@aklaver.com
On 04/02/2014 03:42 PM, Adrian Klaver wrote: > If you want a sort of hyphen. I know. Unfortunately, the user in question gets his name from our Active Directory system. We have PAM set up to maintain local users based on the username assigned there, so the hyphen is stuck. Trust me, we lament about the situation regularly. ;) -- Shaun Thomas OptionsHouse | 141 W. Jackson Blvd. | Suite 500 | Chicago IL, 60604 312-676-8870 sthomas@optionshouse.com ______________________________________________ See http://www.peak6.com/email_disclaimer/ for terms and conditions related to this email