Thread: trouble configuring Postgres with Identd authentication
Tonight I tinkered with getting identd authentication working with Postgres 7.0.2. It appeared to accept my configuration, but the connections were failing when it seemed they shouldn't. The sequence looked like this: ##### elkhorn@ns elkhorn> psql -d elkhorn -u psql: Warning: The -u option is deprecated. Use -U. Username: elkhorn Password: psql: IDENT authentication failed for user 'elkhorn' #### the password was correct, and the user and database named elkhorn appear on the postgres server. So from there I tried to verify that identd on nollie was working as expected. Based some docs I found, I tried a basic raw identd connection: ##### bash-2.04$ telnet nollie 113 Trying 208.196.32.199... Connected to nollie.summersault.com. Escape character is '^]'. 3342 , 23 3342 , 23 : ERROR : NO-USER ######### I tried something similiar with the identd server and got a similiar result: root@philoxenist data]# telnet localhost 113 ######### Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 23,2372 23 , 2372 : ERROR : UNKNOWN-ERROR ############# For reference, I was using a line in pg_hbah.conf like this: # host all 199.120.185.10 255.255.255.255 ident sameuser Both the host and client are running a FreeBSD 4.x So I'm not sure what's wrong. At the moment this looks like an identd problem rather than a Postgres issue. :) Perhaps one of you have run into this before, though? Thanks. -mark personal website } Summersault Website Development http://mark.stosberg.com/ { http://www.summersault.com/
Mark Stosberg <mark@summersault.com> writes:
> Tonight I tinkered with getting identd authentication working
> with Postgres 7.0.2. It appeared to accept my configuration, but the
> connections were failing when it
> seemed they shouldn't.
Is there a firewall or router between the client and server machines?
I've found the hard way that identd doesn't work for connections that
pass through a NAT-enabled router, because the port numbers are
different on the two sides of the router, so that the port number sent
in the ident request doesn't match anything the identd daemon can see.
(I suppose the router could fix this if it knew about ident requests,
but at least my Netopia router does not do that ...)
> The sequence looked like this:
> #####
> elkhorn@ns elkhorn> psql -d elkhorn -u
> psql: Warning: The -u option is deprecated. Use -U.
Hm, is PGHOST set in the environment? Otherwise this will try to do a
Unix-socket connection, which does not work with ident.
regards, tom lane
Tom Lane wrote: > > Mark Stosberg <mark@summersault.com> writes: > > Tonight I tinkered with getting identd authentication working > > with Postgres 7.0.2. It appeared to accept my configuration, but the > > connections were failing when it > > seemed they shouldn't. > > Is there a firewall or router between the client and server machines? > I've found the hard way that identd doesn't work for connections that > pass through a NAT-enabled router, because the port numbers are > different on the two sides of the router, so that the port number sent > in the ident request doesn't match anything the identd daemon can see. > (I suppose the router could fix this if it knew about ident requests, > but at least my Netopia router does not do that ...) Thanks for the response Tom. There is no firewall or our router between the machines, and they are on the same LAN. > > The sequence looked like this: > > > ##### > > elkhorn@ns elkhorn> psql -d elkhorn -u > > psql: Warning: The -u option is deprecated. Use -U. > > Hm, is PGHOST set in the environment? Otherwise this will try to do a > Unix-socket connection, which does not work with ident. Actually, I used the "-h host" option although I trimmed it out of the example. In the production environment, I'll be using a Perl/DBI connect string. Am I correct in my assumption that these are equivalent to setting PGHOST? Thanks, -mark personal website } Summersault Website Development http://mark.stosberg.com/ { http://www.summersault.com/