Thread: postgres 7.2.1 and pam

postgres 7.2.1 and pam

From
Georg Lutz
Date:
Hi,

i would like to use pam(ldap) to authenticate users.

Unix-LDAP-Users already exists and they can login.

I created a user via "CREATE USER user;" without a password, having a
valid unix-account in ldap.

But whenever I try to login to postgresql via psql -U user
template1 i get "psql: FATAL 1:  Password authentication failed for user
user".

I installed the rpm's from
ftp://ftp.postgresql.org/pub/binary/v7.2.1/RPMS/redhat-7.2/
on RH 7.2 .

My pg_hba.conf looks like this:
---
local      all                                           md5
local      all                                           pam     postgresql
---

In /etc/pam.d/postgresql:
---
auth     required      pam_ldap.so
---


What is the problem here?


Please CC, I am not subscribed.

--
Georg

Re: postgres 7.2.1 and pam

From
"Jameson C. Burt"
Date:
On Sun, May 26, 2002 at 06:34:13PM +0200, Georg Lutz wrote:
> Hi,
>
> i would like to use pam(ldap) to authenticate users.
>
> Unix-LDAP-Users already exists and they can login.
>
> I created a user via "CREATE USER user;" without a password, having a
> valid unix-account in ldap.
>
> But whenever I try to login to postgresql via psql -U user
> template1 i get "psql: FATAL 1:  Password authentication failed for user
> user".
>
> I installed the rpm's from
> ftp://ftp.postgresql.org/pub/binary/v7.2.1/RPMS/redhat-7.2/
> on RH 7.2 .
>
> My pg_hba.conf looks like this:
> ---
> local      all                                           md5
> local      all                                           pam     postgresql
> ---
>
> In /etc/pam.d/postgresql:
> ---
> auth     required      pam_ldap.so
> ---


While I haven't tried ldap, I have used the following in
/etc/pam.d/postgresql for local and remote "guest" [I created user
"guest" in postgresql] tcp connections:
    auth       required      pam_ftp.so users=guest
    account    required      pam_permit.so
With no restrictions, allowing even user "postgres" access, I have used:
    auth       required      pam_permit.so
    account    required      pam_permit.so
Neither of these sets of lines requires a password entry.
I found that I NEEDED BOTH AN "auth" AND AN "account" ENTRY,
but I didn't need a "password" or a "session" entry.

I currently have in pg_hba.conf,
   local  all                       pam postgresql
   host   all  0.0.0.0   0.0.0.0    pam postgresql    #for tcp access
I have tried various other entries in these two files,
but I could then never gain access with a password.
Such denial of access that I didn't see with other
pam applications (telnet, ssh, ftp) led me to suspect postgres
compilation errors in its use of pam
(either in pam source or in Debian Linux's complations).

While this worked for my non-ldap situation
on a Debian Linux (3.0 version), I write as a Postgresql
pam novice.



>
> What is the problem here?
> Please CC, I am not subscribed.
> --Georg
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster

Re: postgres 7.2.1 and pam

From
Peter Eisentraut
Date:
Georg Lutz writes:

> My pg_hba.conf looks like this:
> ---
> local      all                                           md5
> local      all                                           pam     postgresql
> ---

Both of these entries apply to local connections, so the first one gets
used and PAM is never considered.

--
Peter Eisentraut   peter_e@gmx.net