Hi,
I'm not sure that this is not a configuration or networking issue (so
apologies if it is), but we seem to be getting rare (a few times/day)
failures with ident authentication because several clients attempt to do
it simultaneously over a high-latency connection (capitalized = edited
IPs/username etc.):
[DB CLIENTADDR(51985) 3173 2011-06-17 10:49:56 CEST] LOG: could not bind
to local address "SERVERADDR": Address already in use
[DB CLIENTADDR(51985) 3173 2011-06-17 10:49:56 CEST] FATAL: Ident
authentication failed for user "USER"
[DB CLIENTADDR(51986) 3183 2011-06-17 10:49:56 CEST] FATAL: no
pg_hba.conf entry for host "CLIENTADDR", user "USER", database "DB", SSL
off
on the client side, we had 2 connection attempts, of which 1 failed
(apparently):
Jun 17 10:49:53 xxx oidentd[12377]: Connection from SERVER (SERVERADDR):0
Jun 17 10:49:53 xxx oidentd[12377]: [SERVER] Successful lookup: 51980 ,
5432 : crm (crm)
[Fri Jun 17 10:49:53 2011] [error] [client 127.0.0.1] [Fri Jun 17 10:49:53
2011] kv_tpl.pl: DBI connect('dbname=DB;host=SERVER','USER',...) failed:
FATAL: Ident authentication failed for user "USER", referer: URL
[Fri Jun 17 10:49:53 2011] [error] [client 127.0.0.1] [Fri Jun 17 10:49:53
2011] kv_tpl.pl: FATAL: no pg_hba.conf entry for host "CLIENTADDR", user
"USER", database "DB", SSL off at /var/www/crm/kv_tpl.pl line 100,
referer: URL
Is this a possible race condition in src/backend/libpq/auth.c ?
[note: the client/server clocks are 3 seconds apart at this point, I
haven't investigated whether that causes issues here]
---
/*
* Bind to the address which the client originally contacted, otherwise
* the ident server won't be able to match up the right connection.
This
* is necessary if the PostgreSQL server is running on an IP alias.
*/
rc = bind(sock_fd, la->ai_addr, la->ai_addrlen);
if (rc != 0)
{
ereport(LOG,
(errcode_for_socket_access(),
errmsg("could not bind to local address \"%s\": %m",
local_addr_s)));
ident_return = false;
goto ident_inet_done;
}
---
Regards,
Marinos
