Thread: ident authentication problem
Hi I am running Mandrake 10 and would like to get sql-ledger to access the database. I can get in to the database with a local user at the command prompt and Web Admin. sql-ledger returns ident authentication problem. the included faq has this to say IDENT Authentication failed for user "postgres" This error has everything to do with the way distros set up access rights for postgres. They are way too restrictive and leave you wondering what to do next. Do yourself a favour and change authentication type in pg_hba.conf to local all trust I can't locate this file. Any suggestions as to how to get SQL-Ledger online? -- Thanks Shanta McBain Http://computersystemconsulting.ca Web hosting and Application Hosting.
> I am running Mandrake 10 and would like to get sql-ledger to access the > database. > the included faq > has this to say > > Do yourself a favour and change authentication type in pg_hba.conf to > > local all trust If you follow this sage advice you'll open up your financial data to anyone happening to have an account on the machine in question. Anyone. Not just people who also happen to have *PostgreSQL* DB accounts. > Http://computersystemconsulting.ca Web hosting and Application Hosting. Including any internet user visiting your pages if they succeed in getting your http server to run some script (if, of course, sql-ledger is on the exposed machine, which it shouldn't). > I can't locate this file. It's in a directory off the home dir of the PostgreSQL system account running the backends. Do yourself a favour and read up on ident maps for PG authentication. Karsten -- GPG key ID E4071346 @ wwwkeys.pgp.net E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mandrake installs postgres in /var/lib/pgsql So you should find the pg_hba.conf file in /var/lib/pgsql/data/ BTW: ever heard of locate ? A simple locate pg_hba.conf should give you the location. On Wednesday 21 April 2004 12:26 pm, Shanta McBain wrote: > Hi > > I am running Mandrake 10 and would like to get sql-ledger to access the > database. > > I can get in to the database with a local user at the command prompt and > Web Admin. > > sql-ledger returns ident authentication problem. > > the included faq > has this to say > > IDENT Authentication failed for user "postgres" > > This error has everything to do with the way distros set up access > rights for postgres. They are way too restrictive and leave you wondering > what to do next. > > Do yourself a favour and change authentication type in pg_hba.conf to > > local all trust > > I can't locate this file. > > Any suggestions as to how to get SQL-Ledger online? - -- UC - -- Open Source Solutions 4U, LLC 2570 Fleetwood Drive Phone: +1 650 872 2425 San Bruno, CA 94066 Cell: +1 650 302 2405 United States Fax: +1 650 872 2417 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAhvGrjqGXBvRToM4RAhi5AJ4nR7GrPojZA4RVmKbrhuCPDHavKQCgr7lT SPUh0eUNTarb3ufFEmPUC/A= =aR+7 -----END PGP SIGNATURE-----
Shanta McBain <csc@computersystemconsulting.ca> wrote: > [snip] > > Do yourself a favour and change authentication type in pg_hba.conf to > > local all trust > > I can't locate this file. > > Any suggestions as to how to get SQL-Ledger online? You didn't mention what version of pgsql you're running... I'll assume 7.4.x. For this purpose, it probably doesn't matter? You should start here http://www.postgresql.org/docs/7.4/static/index.html See Section III: "Server Administration" -- Jim Seymour | Spammers sue anti-spammers: jseymour@LinxNet.com | http://www.LinxNet.com/misc/spam/slapp.php http://jimsun.LinxNet.com | Please donate to the SpamCon Legal Fund: | http://www.spamcon.org/legalfund/
Karsten Hilbert <Karsten.Hilbert@gmx.net> wrote: > > > I am running Mandrake 10 and would like to get sql-ledger to access the > > database. > > > the included faq > > has this to say > > > > Do yourself a favour and change authentication type in pg_hba.conf to > > > > local all trust > If you follow this sage advice you'll open up your financial > data to anyone happening to have an account on the machine in > question. Anyone. Not just people who also happen to have > *PostgreSQL* DB accounts. [snip] How, exactly, is that? -- Jim Seymour | Spammers sue anti-spammers: jseymour@LinxNet.com | http://www.LinxNet.com/misc/spam/slapp.php http://jimsun.LinxNet.com | Please donate to the SpamCon Legal Fund: | http://www.spamcon.org/legalfund/
On April 21, 2004 13:26, Karsten Hilbert wrote: > If you follow this sage advice you'll open up your financial > data to anyone happening to have an account on the machine in > question. Anyone. Not just people who also happen to have > *PostgreSQL* DB accounts. > Did not sound like the right thing todo That is why I asked. I am new to Postgres. > Including any internet user visiting your pages if they > succeed in getting your http server to run some script (if, of > course, sql-ledger is on the exposed machine, which it > shouldn't). > It's not. But I would rather not open it to the world anyway. > > I can't locate this file. > > It's in a directory off the home dir of the PostgreSQL system > account running the backends. > > Do yourself a favour and read up on ident maps for PG > authentication. Thanks for pointing me to what I needed to read to get it to see the database. It now accept the authentication but complains of a missing directory or file. This I don't know if it is SQL-Ledger problem or in Postgres. I will look deeper to find out. Seems like all Mandrake setup for these kinds of services are not smooth. I have had repeated problems with getting MySQL, Perl DBI, etc working. Once I have gone through the process though it works well. Thanks again for the tips. Shanta -- Thanks Shanta McBain Http://computersystemconsulting.ca Web hosting and Application Hosting.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 21 April 2004 04:53 pm, Shanta McBain wrote: > On April 21, 2004 13:26, Karsten Hilbert wrote: > > If you follow this sage advice you'll open up your financial > > data to anyone happening to have an account on the machine in > > question. Anyone. Not just people who also happen to have > > *PostgreSQL* DB accounts. > > Did not sound like the right thing todo That is why I asked. I am new to > Postgres. > > > Including any internet user visiting your pages if they > > succeed in getting your http server to run some script (if, of > > course, sql-ledger is on the exposed machine, which it > > shouldn't). > > It's not. But I would rather not open it to the world anyway. > > > > I can't locate this file. > > > > It's in a directory off the home dir of the PostgreSQL system > > account running the backends. > > > > Do yourself a favour and read up on ident maps for PG > > authentication. > > Thanks for pointing me to what I needed to read to get it to see the > database. It now accept the authentication but complains of a missing > directory or file. > > This I don't know if it is SQL-Ledger problem or in Postgres. I will look > deeper to find out. > > Seems like all Mandrake setup for these kinds of services are not smooth. I > have had repeated problems with getting MySQL, Perl DBI, etc working. Once > I have gone through the process though it works well. It's not really a Mandrake problem. They are pretty close to Redhat. The problem is, that a lot of the packages, particularly rpm's are made for redhat and not Mandrake. So often you end up using a redhat rpm because a mandrake one was nowhere to find and the some tiny bit doesn't fit in. UC - -- Open Source Solutions 4U, LLC 2570 Fleetwood Drive Phone: +1 650 872 2425 San Bruno, CA 94066 Cell: +1 650 302 2405 United States Fax: +1 650 872 2417 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAhw7ljqGXBvRToM4RAjHVAJ4m14HTw4xVIN9kIR/zXUk8a7mJqQCgmD5y 9V68Y4KE5bDxc0Yx1LHEWsU= =6SM+ -----END PGP SIGNATURE-----
Jim Seymour wrote: > Karsten Hilbert <Karsten.Hilbert@gmx.net> wrote: >>If you follow this sage advice you'll open up your financial >>data to anyone happening to have an account on the machine in >>question. Anyone. Not just people who also happen to have >>*PostgreSQL* DB accounts. > > [snip] > > How, exactly, is that? The magic is in the -U flag for psql: psql -U pg_superuser any_db Greg
> > Jim Seymour wrote: > > Karsten Hilbert <Karsten.Hilbert@gmx.net> wrote: > >>If you follow this sage advice you'll open up your financial > >>data to anyone happening to have an account on the machine in > >>question. Anyone. Not just people who also happen to have > >>*PostgreSQL* DB accounts. > > > > [snip] > > > > How, exactly, is that? > > The magic is in the -U flag for psql: > > psql -U pg_superuser any_db *Argh*! /me slaps self on forehead. Of course! Jim
> > > Do yourself a favour and change authentication type in pg_hba.conf to > > > > > > local all trust > > If you follow this sage advice you'll open up your financial > > data to anyone happening to have an account on the machine in > > question. Anyone. Not just people who also happen to have > > *PostgreSQL* DB accounts. > > How, exactly, is that? a) it seems SQL ledger wants to store data in PostgreSQL b) I assume it wants to store *financial* data c) local/all/trust means *all* *local* users are *trusted*, eg don't require any authentication, hence system account foo can access *all* databases (including the SQL-ledger one) even though foo does not have a corresponding DB account Assuming, that there aren't any schema level restrictions (GRANTs) set up which may or may not be the case. Forgot to mention that point earlier on. Or am I missing something ? Karsten -- GPG key ID E4071346 @ wwwkeys.pgp.net E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
On Thu, Apr 22, 2004 at 01:58:14PM +0200, Karsten Hilbert wrote: > a) it seems SQL ledger wants to store data in PostgreSQL > b) I assume it wants to store *financial* data > c) local/all/trust means *all* *local* users are *trusted*, eg > don't require any authentication, hence system account foo > can access *all* databases (including the SQL-ledger one) > even though foo does not have a corresponding DB account > > Assuming, that there aren't any schema level restrictions > (GRANTs) set up which may or may not be the case. Forgot to > mention that point earlier on. If the data is protected by GRANT/REVOKE, a malicious (or curious) user can work around them by connecting as the database superuser, so in practice there's no protection at all. -- Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) "Acepta los honores y aplausos y perderás tu libertad"
On April 22, 2004 04:58, Karsten Hilbert wrote: > > > > How, exactly, is that? > > a) it seems SQL ledger wants to store data in PostgreSQL It is the prefred database but I think you can use others. > b) I assume it wants to store *financial* data Yes It is an accounting package. > c) local/all/trust means *all* *local* users are *trusted*, eg > don't require any authentication, hence system account foo > can access *all* databases (including the SQL-ledger one) > even though foo does not have a corresponding DB account > > Assuming, that there aren't any schema level restrictions > (GRANTs) set up which may or may not be the case. Forgot to > mention that point earlier on. > > Or am I missing something ? I think the SQL-ledger docs were thinking in terms of a stand alone system. My asking this question has gotten some interesting discoution of authentication and security. I used the suggestion on mapping the users So postgress would be able to relate to the SQL ledger user and the allowed postgress user. This meant that SQL-ledger may access the database without open the database to attack. Much better solution for sure. -- Thanks for the help. Shanta McBain Http://computersystemconsulting.ca Web hosting and Application Hosting.