Re: JDBC connection issue - Mailing list pgsql-jdbc

From Blaine Simpson
Subject Re: JDBC connection issue
Date
Msg-id 40FEFF0E.6090807@admc.com
Whole thread Raw
In response to JDBC connection issue  ("Young Nam" <Ynam@sharedmarketing.com>)
Responses Re: JDBC connection issue
List pgsql-jdbc
Oliver Jowett wrote:

> Blaine Simpson wrote:
>
>> Oliver Jowett wrote:
>>
>>> Blaine Simpson wrote:
>>>
>>>> You don't need an ident server if you use "md5", you do need an
>>>> ident server if you
>>>> use "trust".
>>>
>>>
>>>
>>>
>>> No. Please read
>>> http://www.postgresql.org/docs/7.4/static/auth-methods.html#AUTH-TRUST
>>
>>
>>
>> I did.  It says nothing about setting up trust for networks sockets,
>> implying that it is wide open.
>
>
> Are we reading the same document? The URL I provided explicitly talks
> about network sockets & trust auth. I quote:
>
> trust authentication is only suitable for TCP/IP connections if you
> trust every user on every machine that is allowed to connect to the
> server by the pg_hba.conf lines that specify trust. It is seldom
> reasonable to use trust for any TCP/IP connections other than those
> from localhost (127.0.0.1).

I have very good reading comprehension.  It says when TCP/IP suitable to
use, but says nothing
about what the requirements are.  As I said, that IMPLIES that there are
no additional requirements
and it is wide open.

The reason I question the implication is not that I can't read, but
because I have tried to use
psql (not JDBC) over tcpip sockets with "ident", and, what do you know,
just like Kris said,
there were system log messages about ident failures.  This is because
identd is disabled on
our servers and blocked by our firewalls.

>> But, as I've found in practice, and as Kris Jurka has pointed out,
>> you do have to satisfy ident
>> protocol requirements to use trust with network sockets.
>
>
> You are misquoting Kris. He said:
>
>>> "trust" has nothing to do with "ident" authentication, trust does
>>> not do
>>> any authentication at all and just lets you in.
>>
I know he said that, and I disagree with that because immediately after
he says that
"Using ident authentication can be tricky with JDBC" (you can't do
non-network socket
ident with JDBC according to everything I've read about using the JDBC
Driver) and
"On the server side... requiring  kernel support for passing user
infomation and tcp/ip sockets requiring an ident server.".  Yes, PG
server-side code
requires identd setup to use ident & tcp/ip.

> When trust auth is configured (for a particular source address), no
> ident query is done at all, so whether that source IP is running an
> ident server or not is irrelevant.
>
> -O



--
ICF:  703-934-3692       Cell:  703-944-9317


pgsql-jdbc by date:

Previous
From: Blaine Simpson
Date:
Subject: Re: JDBC connection issue
Next
From: Oliver Jowett
Date:
Subject: Re: JDBC connection issue