Re: [ADMIN] phpPgAdmin + PostgreSQL + authentication - Mailing list pgsql-general

--howdy:

--i'm doing a few tests on it, and one of the drawbacks
--that i've seen is that you can not do complicated
--sql on it (the joins between multiple table, heavy
--calculations, etc).

--i tried to do something like that in a report (didn't see
--how else i could do it) and my browser timed out
--the query kept running! 

--i really would like to find a nice alternative (like pgAdmin II ).
--i've tested a few, but most of them don't handle md5
--encryption and the others want python installed
--(and at compile time when building postgreSQL ... i just
--can't do that right now ... ).

--if anyone can suggest some product that can do
--what pgAdmin II is doing without python AND can run on
--a windows  environment, i'd be grateful for the information.

--thanks again!

-X

-----Original Message-----
From: Hunter Matthews [mailto:thm@duke.edu]

On Tue, 2002-10-08 at 12:21, Johnson, Shaunn wrote:
> Not sure if this the most likely of maillists to ask,
> but is anyone using phpPgAdmin?  I have a few questions
> regarding authentication of username / passwords.

We are. I love it.

> In my pg_hba.conf, I have this:
>
> [snip conf file]
>
> # TYPE     DATABASE    IP_ADDRESS    MASK               AUTH_TYPE
> AUTH_ARGUMENT
> local        all                                            trust

I specifically disallow local, because we're about to switch to kerberos
as our auth mechanism.

In your case, I think you want md5 here as well.

> host         all         127.0.0.1       255.255.255.255    md5
> host         all         16.x.x.1        255.0.0.0          md5
> host         all         192.168.0.0     255.255.255.0      md5
>
> [/snip conf file]
>
> In the config.inc.php, I have this:
>
> [snip php conf]
>
>
> // The $cfgServers array starts with $cfgServers[1].  Do not use
> $cfgServers[0].
> // You can disable a server config entry by setting host to ''.
> $cfgServers[1]['local']         = false;
> $cfgServers[1]['host']          = 'test.localserver.net';
> $cfgServers[1]['port']          = '5432';
> $cfgServers[1]['adv_auth']      = true;
>
> $cfgServers[1]['user']          = '';   // if you are not using adv_auth,
>                                                   // enter the username to
> connect all the time
> $cfgServers[1]['password']      = '';   // if you are not using adv_auth and
>
>                                                   // a password is
> required enter a password
> $cfgServers[1]['only_db']       = '';   // if set to a db-name, only this db
> is accessible
>
>
> [/snip php conf]
>
> As I understand it, shouldn't this allow any user with TCP connection
> to access the database?  I suppose I am trying to understand if
> adv_auth even uses pg_shadow at all, or, does 'local' means that
> no authentication is needed, anyone can log in.

I believe it does.

>
> The only thing that  happens at the index.php page is when I log
> in, I get "Wrong username/password. Access denied".

Advance auth requires you to have these two entries:
$cfgServers[1]['stduser']       = 'auth';
$cfgServers[1]['stdpass']       = 'adv_auth';

Obviously, where stduser and stdpass are specific to your site.

What happens is pgadmin needs someway to confirm or deny that a given
user can login to the database, and so has to use this "other"
user/password to connect.

I think thats whats happening, anyway.

--
Hunter Matthews                          Unix / Network Administrator
Office: BioScience 145/244               Duke Univ. Biology Department
Key: F0F88438 / FFB5 34C0 B350 99A4 BB02  9779 A5DB 8B09 F0F8 8438
Never take candy from strangers. Especially on the internet.