Re: Connect error - Mailing list pgsql-novice
From | Bill Moseley |
---|---|
Subject | Re: Connect error |
Date | |
Msg-id | 20040113060317.GB551@hank.org Whole thread Raw |
In response to | Re: Connect error (Russell Shaw <rjshaw@iprimus.com.au>) |
Responses |
Re: Connect error
Re: Connect error |
List | pgsql-novice |
On Tue, Jan 13, 2004 at 02:38:04PM +1100, Russell Shaw wrote: > > In pg_ident.conf, i put: > > # MAPNAME IDENT-USERNAME PG-USERNAME > apache www-data russell > apache russell russell > > This works: > psql -U russell parts_list > > This doesn't: > psql -U www-data parts_list > > It says: psql: FATAL: IDENT authentication failed for user "www-data" I don't think that's how it works. But, I'm just learning -- so I'll try and get it correct (but no guarantees). The idea is you can do this: $ su www-data # now you are the web server user $ psql -U russell parts_lists So you are saying with -U that you want to connect at the *Postgres* user "russell". Now, normally, postgres would do an ident[1] and say, "Ok, you want to connect as user "russell" but the ident returned you as user "www-data" so you are not authenticated." But, by using the map: apache www-data russell that says (or so I'm guessing) that "ok, when ident returns 'www-data' map that to user 'russell' and use that username for connecting to the database." And thus you are requesting to connect as user (-U) russell and now the ident has been mapped to user russell so you are authenticated. Or to say it another way, when you are user "russell" and you connect to psql it can do an ident and say authenticate that you really are "russell". But when you are another unix user, but you use -U to specify the username, it can't authenticate you -- so the map allows mapping of one unix username to another for authentication purposes. All that, of course, has to work with pg_hba.conf. BTW - I found it somewhat confusing because the default (at least mine) pg_hba.conf says any user that is also a postgres user can authenticate and then access any database when they connect from their own account. local all all ident sameuser > I've tried adding -h localhost also. > > How can i test the identd server for user www-data? > www-data is in /etc/passwd, and i can also su to it. Yes, but www-data is not a Postgres user -- and doesn't need to be. [1] Also, when using psql you don't need an ident server running to authenticate -- just like "whoami" will report your username without using an ident server. That said, I hope someone will explain that better with regard to how unix-domain sockets work. I trust someone will correct any errors in the above... -- Bill Moseley moseley@hank.org
pgsql-novice by date: