OK, I think I get it now.
For a database "newdb", created by user moseley and to only
allow connections from user moseley and the web server running as www-data
add the following line early:
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local newdb all ident webaccess
So, all unix-domain connections (local) trying to connect to user "newdb"
will check the "webaccess" map in the pg_ident.conf file.
webaccess moseley moseley
webaccess www-data moseley
The first one is basically duplicating the "sameuser" feature.
Connection requests as user moseley must ident as user moseley.
The second one says connections for user moseley can ident as
"www-data". "www-data" does not need to be a postgres user, of course.
bumby:~$ whoami
www-data
bumby:~$ psql -Umoseley newdb
Welcome to psql 7.4.1, the PostgreSQL interactive terminal.
Now, to allow host connections (which is how my web application would
connect), add the "host" line:
# TYPE DATABASE USER IP-ADDRES IP-MASK METHOD
local newdb all ident webaccess
host newdb all 127.0.0.1 255.255.255.255 ident webaccess
I'm running Debian sid which didn't have ident running, so I installed
the ident2 package before this would work.
I'm just learning, but...
I doubt I would use this method. Instead I'd use the md5 method
and load the password into the web server on startup (when running as
root). That won't work with CGI programs, but will with mod_perl, for
example. With the above method anyone with access to the web server can
access the newdb database. Using a username and password also allows
GRANT permissions per user.
--
Bill Moseley
moseley@hank.org
