Thread: pg_ident.conf not working?

pg_ident.conf not working?

From
Joe Brenner
Date:
I've noticed a difference in postgresql 8.3 and 9.0.1 that I suspect
is a bug.  pg_ident.conf isn't working the way it used to.

I have a website set-up with apache running as using user
"www-data".  As I remember it, I found that it was difficult to
set-up a postgres user name with a hyphen in it, so I fell back
on creating a "www" postgres account, and I used the mapping:

pg_ident.conf:

  # MAPNAME       SYSTEM-USERNAME         PG-USERNAME
  apache          www-data                www

That used to work with postgres 8.3 (running on the same
box as apache, of course), now with postgres 9.0.1 I can't
get things like this to work:

pg_hba.conf

  # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
  local   my_dbname   www                               ident

The log shows the error message:

  LOG:  provided user name (www) and authenticated user name (www-data) do not match
  FATAL:  Ident authentication failed for user "www"

I can "fix" this by changing "ident" to "trust", but I'd
rather restrict access to just the apache user.

(Hm... maybe I need to try "ident map=apache"?)


Re: pg_ident.conf not working?

From
Joe Brenner
Date:
Joe Brenner <doom@kzsu.stanford.edu> wrote:

> I've noticed a difference in postgresql 8.3 and 9.0.1 that I suspect
> is a bug.  pg_ident.conf isn't working the way it used to.
>
> I have a website set-up with apache running as using user
> "www-data".  As I remember it, I found that it was difficult to
> set-up a postgres user name with a hyphen in it, so I fell back
> on creating a "www" postgres account, and I used the mapping:
>
> pg_ident.conf:
>
>   # MAPNAME       SYSTEM-USERNAME         PG-USERNAME
>   apache          www-data                www
>
> That used to work with postgres 8.3 (running on the same
> box as apache, of course), now with postgres 9.0.1 I can't
> get things like this to work:
>
> pg_hba.conf
>
>   # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
>   local   my_dbname   www                               ident
>
> The log shows the error message:
>
>   LOG:  provided user name (www) and authenticated user name (www-data) do not match
>   FATAL:  Ident authentication failed for user "www"
>
> I can "fix" this by changing "ident" to "trust", but I'd
> rather restrict access to just the apache user.
>
> (Hm... maybe I need to try "ident map=apache"?)

Yes, it turns out that if I use the "map" option to explicitly tell it
which line of pg_ident.conf I want it to use, I can get it to work.

I stumbled across that here:


http://www.builderau.com.au/program/mysql/soa/Why-PostgreSQL-is-a-better-enterprise-database-than-MySQL/0,339028784,339300964,00.htm

Though I see it is indeed explained where it should be, I just kept
skimming past it:

  http://developer.postgresql.org/pgdocs/postgres/auth-username-maps.html

More code examples would help...


Re: pg_ident.conf not working?

From
Robert Gravsjö
Date:

Joe Brenner skrev 2010-10-16 22.49:
> Joe Brenner<doom@kzsu.stanford.edu>  wrote:

 > I've noticed a difference in postgresql 8.3 and 9.0.1 that I suspect
 > is a bug.  pg_ident.conf isn't working the way it used to.

8< -- snip ---

>
> Though I see it is indeed explained where it should be, I just kept
> skimming past it:
>
>    http://developer.postgresql.org/pgdocs/postgres/auth-username-maps.html

That is the docs for the version being developed (currently 9.1).

You probably wanted
http://www.postgresql.org/docs/9.0/static/auth-username-maps.html

Don't think there's much difference in this case but I thought I'd point
it out just in case.

Regards,
Robert "roppert" Gravsjö

>
> More code examples would help...
>
>