Thread: PostgreSQL pam ldap document

PostgreSQL pam ldap document

From
Adrian Nida
Date:
All,

    I visited #postgresql @ FreeNode and asked about how to make pg use pam
about a week ago (specifically I wanted to auth against LDAP).  I was
told to figure it out and write a doc...

Here is my attempt at doing so:  http://itc.musc.edu/wiki/PostGreSQL

Please review for accuracy and/or proofreading.

Thanks,

Adrian

Re: [HACKERS] PostgreSQL pam ldap document

From
Bruce Momjian
Date:
Adrian Nida wrote:
> All,
>
>     I visited #postgresql @ FreeNode and asked about how to make pg use pam
> about a week ago (specifically I wanted to auth against LDAP).  I was
> told to figure it out and write a doc...
>
> Here is my attempt at doing so:  http://itc.musc.edu/wiki/PostGreSQL
>
> Please review for accuracy and/or proofreading.

I get a "not exists" error on that URL.

I assume you looked at:

    http://www.postgresql.org/docs/8.0/interactive/auth-methods.html#AUTH-PAM

Do you have additions to it?

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: [HACKERS] PostgreSQL pam ldap document

From
David Fetter
Date:
On Fri, Mar 11, 2005 at 11:42:53AM -0500, Bruce Momjian wrote:
> Adrian Nida wrote:
> > All,
> >
> >     I visited #postgresql @ FreeNode and asked about how to make pg use pam
> > about a week ago (specifically I wanted to auth against LDAP).  I was
> > told to figure it out and write a doc...
> >
> > Here is my attempt at doing so:  http://itc.musc.edu/wiki/PostGreSQL
> >
> > Please review for accuracy and/or proofreading.
>
> I get a "not exists" error on that URL.

http://itc.musc.edu/wiki/PostgreSQL

(only 4 capital letters) works.

> I assume you looked at:
>
>     http://www.postgresql.org/docs/8.0/interactive/auth-methods.html#AUTH-PAM
>
> Do you have additions to it?

'pears so :)

Cheers,
D
--
David Fetter david@fetter.org http://fetter.org/
phone: +1 510 893 6100   mobile: +1 415 235 3778

Remember to vote!

Re: [HACKERS] PostgreSQL pam ldap document

From
Adrian Nida
Date:
<Snip/>
>>Here is my attempt at doing so:  http://itc.musc.edu/wiki/PostGreSQL
<Snip/>
> I get a "not exists" error on that URL.
Sorry, I renamed the URL after someone pointed out the correct spelling.
  This was a link to the old one.  I apologize for the confusion, the
right URL is:

http://itc.musc.edu/wiki/PostgreSQL

> I assume you looked at:
>     http://www.postgresql.org/docs/8.0/interactive/auth-methods.html#AUTH-PAM
> Do you have additions to it?

Yes, I did look at it.  No offense to the original author, but my doc
has a lot more than the four sentences that are there.  I was hoping it
would help others in my situation.  Again any and all
comments/questions/blah are appreciated.

Thanks,

Adrian

Attachment

Re: [HACKERS] PostgreSQL pam ldap document

From
Dick Davies
Date:
* Adrian Nida <nida@musc.edu> [0307 18:07]:
> <Snip/>
> >>Here is my attempt at doing so:  http://itc.musc.edu/wiki/PostGreSQL
> <Snip/>
> >I get a "not exists" error on that URL.
> Sorry, I renamed the URL after someone pointed out the correct spelling.
>  This was a link to the old one.  I apologize for the confusion, the
> right URL is:
>
> http://itc.musc.edu/wiki/PostgreSQL
>
> >I assume you looked at:
> >    http://www.postgresql.org/docs/8.0/interactive/auth-methods.html#AUTH-PAM
> >Do you have additions to it?
>
> Yes, I did look at it.  No offense to the original author, but my doc
> has a lot more than the four sentences that are there.  I was hoping it
> would help others in my situation.  Again any and all
> comments/questions/blah are appreciated.

I think the point he's trying to make is that most of your howto is
how to setup pg_hba.conf (which is in the docs anyway) and how to set up pam_ldap
for a service (which is really a pam howto).

It'd be nice if the docs at

http://www.postgresql.org/docs/8.0/interactive/auth-methods.html#AUTH-PAM

said

'you need to createuser(8) a postgres user too. PAM is only used to
validate a username/password pair - the user has to exist in postgres as well.'

and it will, once it updates :)



--
'When the door hits you in the ass on the way out, clean off the smudge
 your ass leaves, please'
        -- Alien loves Predator
Rasputin :: Jack of All Trades - Master of Nuns

Re: [HACKERS] PostgreSQL pam ldap document

From
Bruce Momjian
Date:
Addition added to PAM documentation.  Patch attached and will appear in
8.0.3.

---------------------------------------------------------------------------

Dick Davies wrote:
> * Adrian Nida <nida@musc.edu> [0307 18:07]:
> > <Snip/>
> > >>Here is my attempt at doing so:  http://itc.musc.edu/wiki/PostGreSQL
> > <Snip/>
> > >I get a "not exists" error on that URL.
> > Sorry, I renamed the URL after someone pointed out the correct spelling.
> >  This was a link to the old one.  I apologize for the confusion, the
> > right URL is:
> >
> > http://itc.musc.edu/wiki/PostgreSQL
> >
> > >I assume you looked at:
> > >    http://www.postgresql.org/docs/8.0/interactive/auth-methods.html#AUTH-PAM
> > >Do you have additions to it?
> >
> > Yes, I did look at it.  No offense to the original author, but my doc
> > has a lot more than the four sentences that are there.  I was hoping it
> > would help others in my situation.  Again any and all
> > comments/questions/blah are appreciated.
>
> I think the point he's trying to make is that most of your howto is
> how to setup pg_hba.conf (which is in the docs anyway) and how to set up pam_ldap
> for a service (which is really a pam howto).
>
> It'd be nice if the docs at
>
> http://www.postgresql.org/docs/8.0/interactive/auth-methods.html#AUTH-PAM
>
> said
>
> 'you need to createuser(8) a postgres user too. PAM is only used to
> validate a username/password pair - the user has to exist in postgres as well.'
>
> and it will, once it updates :)
>
>
>
> --
> 'When the door hits you in the ass on the way out, clean off the smudge
>  your ass leaves, please'
>         -- Alien loves Predator
> Rasputin :: Jack of All Trades - Master of Nuns
>
> ---------------------------(end of broadcast)---------------------------
> TIP 7: don't forget to increase your free space map settings
>

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.76
diff -c -c -r1.76 client-auth.sgml
*** doc/src/sgml/client-auth.sgml    22 Apr 2005 04:18:58 -0000    1.76
--- doc/src/sgml/client-auth.sgml    26 Apr 2005 02:50:34 -0000
***************
*** 883,890 ****
      default PAM service name is <literal>postgresql</literal>. You can
      optionally supply your own service name after the <literal>pam</>
      key word in the file <filename>pg_hba.conf</filename>.
!     For more information about PAM, please read the
!     <ulink url="http://www.kernel.org/pub/linux/libs/pam/">
      <productname>Linux-PAM</> Page</ulink>
      and the <ulink url="http://www.sun.com/software/solaris/pam/">
      <systemitem class="osname">Solaris</> PAM Page</ulink>.
--- 883,892 ----
      default PAM service name is <literal>postgresql</literal>. You can
      optionally supply your own service name after the <literal>pam</>
      key word in the file <filename>pg_hba.conf</filename>.
!     PAM is used only to validate username/password pairs.
!     The user must already exist in the database before PAM
!     can be used for authentication.  For more information about
!     PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">
      <productname>Linux-PAM</> Page</ulink>
      and the <ulink url="http://www.sun.com/software/solaris/pam/">
      <systemitem class="osname">Solaris</> PAM Page</ulink>.