Thread: ident authentication problem

ident authentication problem

From
Shanta McBain
Date:
Hi

I am running Mandrake 10 and would like to get sql-ledger to access the
database.

I can get in to the database with a local user at the command prompt and Web
Admin.

sql-ledger returns ident authentication problem.

the included faq
has this to say

  IDENT Authentication failed for user "postgres"

   This error has everything to do with the way distros set up access rights
for postgres. They are way too restrictive and leave you wondering what to do
next.

Do yourself a favour and change authentication type in pg_hba.conf to

local           all              trust

I can't locate this file.

Any suggestions as to how to get SQL-Ledger online?

--
Thanks
Shanta McBain
Http://computersystemconsulting.ca Web hosting and Application Hosting.

Re: ident authentication problem

From
Karsten Hilbert
Date:
> I am running Mandrake 10 and would like to get sql-ledger to access the
> database.

> the included faq
> has this to say
>
> Do yourself a favour and change authentication type in pg_hba.conf to
>
> local           all              trust
If you follow this sage advice you'll open up your financial
data to anyone happening to have an account on the machine in
question. Anyone. Not just people who also happen to have
*PostgreSQL* DB accounts.

> Http://computersystemconsulting.ca Web hosting and Application Hosting.
Including any internet user visiting your pages if they
succeed in getting your http server to run some script (if, of
course, sql-ledger is on the exposed machine, which it
shouldn't).

> I can't locate this file.
It's in a directory off the home dir of the PostgreSQL system
account running the backends.

Do yourself a favour and read up on ident maps for PG
authentication.

Karsten
--
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346

Re: ident authentication problem

From
"Uwe C. Schroeder"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Mandrake installs postgres in /var/lib/pgsql
So you should find the pg_hba.conf file in /var/lib/pgsql/data/

BTW: ever heard of locate ? A simple locate pg_hba.conf should give you the
location.


On Wednesday 21 April 2004 12:26 pm, Shanta McBain wrote:
> Hi
>
> I am running Mandrake 10 and would like to get sql-ledger to access the
> database.
>
> I can get in to the database with a local user at the command prompt and
> Web Admin.
>
> sql-ledger returns ident authentication problem.
>
> the included faq
> has this to say
>
>   IDENT Authentication failed for user "postgres"
>
>    This error has everything to do with the way distros set up access
> rights for postgres. They are way too restrictive and leave you wondering
> what to do next.
>
> Do yourself a favour and change authentication type in pg_hba.conf to
>
> local           all              trust
>
> I can't locate this file.
>
> Any suggestions as to how to get SQL-Ledger online?

- --
    UC

- --
Open Source Solutions 4U, LLC    2570 Fleetwood Drive
Phone:  +1 650 872 2425        San Bruno, CA 94066
Cell:   +1 650 302 2405        United States
Fax:    +1 650 872 2417
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAhvGrjqGXBvRToM4RAhi5AJ4nR7GrPojZA4RVmKbrhuCPDHavKQCgr7lT
SPUh0eUNTarb3ufFEmPUC/A=
=aR+7
-----END PGP SIGNATURE-----


Re: ident authentication problem

From
jseymour@LinxNet.com (Jim Seymour)
Date:
Shanta McBain <csc@computersystemconsulting.ca> wrote:
>
[snip]
>
> Do yourself a favour and change authentication type in pg_hba.conf to
>
> local           all              trust
>
> I can't locate this file.
>
> Any suggestions as to how to get SQL-Ledger online?

You didn't mention what version of pgsql you're running... I'll assume
7.4.x.  For this purpose, it probably doesn't matter?

You should start here

    http://www.postgresql.org/docs/7.4/static/index.html

See Section III: "Server Administration"

--
Jim Seymour                | Spammers sue anti-spammers:
jseymour@LinxNet.com       |     http://www.LinxNet.com/misc/spam/slapp.php
http://jimsun.LinxNet.com  | Please donate to the SpamCon Legal Fund:
                           |     http://www.spamcon.org/legalfund/

Re: ident authentication problem

From
jseymour@LinxNet.com (Jim Seymour)
Date:
Karsten Hilbert <Karsten.Hilbert@gmx.net> wrote:
>
> > I am running Mandrake 10 and would like to get sql-ledger to access the
> > database.
>
> > the included faq
> > has this to say
> >
> > Do yourself a favour and change authentication type in pg_hba.conf to
> >
> > local           all              trust
> If you follow this sage advice you'll open up your financial
> data to anyone happening to have an account on the machine in
> question. Anyone. Not just people who also happen to have
> *PostgreSQL* DB accounts.
[snip]

How, exactly, is that?

--
Jim Seymour                | Spammers sue anti-spammers:
jseymour@LinxNet.com       |     http://www.LinxNet.com/misc/spam/slapp.php
http://jimsun.LinxNet.com  | Please donate to the SpamCon Legal Fund:
                           |     http://www.spamcon.org/legalfund/

Re: ident authentication problem

From
Shanta McBain
Date:
On April 21, 2004 13:26, Karsten Hilbert wrote:
> If you follow this sage advice you'll open up your financial
> data to anyone happening to have an account on the machine in
> question. Anyone. Not just people who also happen to have
> *PostgreSQL* DB accounts.
>

Did not sound like the right thing todo That is why I asked. I am new to
Postgres.

> Including any internet user visiting your pages if they
> succeed in getting your http server to run some script (if, of
> course, sql-ledger is on the exposed machine, which it
> shouldn't).
>

It's not. But I would rather not open it to the world anyway.

> > I can't locate this file.
>
> It's in a directory off the home dir of the PostgreSQL system
> account running the backends.
>
> Do yourself a favour and read up on ident maps for PG
> authentication.

Thanks for pointing me to what I needed to read to get it to see the database.
It now accept the authentication but complains of a missing directory or
file.

This I don't know if it is SQL-Ledger problem or in Postgres. I will look
deeper to find out.

Seems like all Mandrake setup for these kinds of services are not smooth. I
have had repeated problems with getting MySQL, Perl DBI, etc working. Once I
have gone through the process though it works well.

Thanks again for the tips.

Shanta


--
Thanks
Shanta McBain
Http://computersystemconsulting.ca Web hosting and Application Hosting.

Re: ident authentication problem

From
"Uwe C. Schroeder"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 21 April 2004 04:53 pm, Shanta McBain wrote:
> On April 21, 2004 13:26, Karsten Hilbert wrote:
> > If you follow this sage advice you'll open up your financial
> > data to anyone happening to have an account on the machine in
> > question. Anyone. Not just people who also happen to have
> > *PostgreSQL* DB accounts.
>
> Did not sound like the right thing todo That is why I asked. I am new to
> Postgres.
>
> > Including any internet user visiting your pages if they
> > succeed in getting your http server to run some script (if, of
> > course, sql-ledger is on the exposed machine, which it
> > shouldn't).
>
> It's not. But I would rather not open it to the world anyway.
>
> > > I can't locate this file.
> >
> > It's in a directory off the home dir of the PostgreSQL system
> > account running the backends.
> >
> > Do yourself a favour and read up on ident maps for PG
> > authentication.
>
> Thanks for pointing me to what I needed to read to get it to see the
> database. It now accept the authentication but complains of a missing
> directory or file.
>
> This I don't know if it is SQL-Ledger problem or in Postgres. I will look
> deeper to find out.
>
> Seems like all Mandrake setup for these kinds of services are not smooth. I
> have had repeated problems with getting MySQL, Perl DBI, etc working. Once
> I have gone through the process though it works well.

It's not really a Mandrake problem. They are pretty close to Redhat. The
problem is, that a lot of the packages, particularly rpm's are made for
redhat and not Mandrake. So often you end up using a redhat rpm because a
mandrake one was nowhere to find and the some tiny bit doesn't fit in.

    UC

- --
Open Source Solutions 4U, LLC    2570 Fleetwood Drive
Phone:  +1 650 872 2425        San Bruno, CA 94066
Cell:   +1 650 302 2405        United States
Fax:    +1 650 872 2417
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAhw7ljqGXBvRToM4RAjHVAJ4m14HTw4xVIN9kIR/zXUk8a7mJqQCgmD5y
9V68Y4KE5bDxc0Yx1LHEWsU=
=6SM+
-----END PGP SIGNATURE-----


Re: ident authentication problem

From
Gregory Wood
Date:
Jim Seymour wrote:
> Karsten Hilbert <Karsten.Hilbert@gmx.net> wrote:
>>If you follow this sage advice you'll open up your financial
>>data to anyone happening to have an account on the machine in
>>question. Anyone. Not just people who also happen to have
>>*PostgreSQL* DB accounts.
>
> [snip]
>
> How, exactly, is that?

The magic is in the -U flag for psql:

psql -U pg_superuser any_db

Greg

Re: ident authentication problem

From
jseymour@LinxNet.com (Jim Seymour)
Date:
>
> Jim Seymour wrote:
> > Karsten Hilbert <Karsten.Hilbert@gmx.net> wrote:
> >>If you follow this sage advice you'll open up your financial
> >>data to anyone happening to have an account on the machine in
> >>question. Anyone. Not just people who also happen to have
> >>*PostgreSQL* DB accounts.
> >
> > [snip]
> >
> > How, exactly, is that?
>
> The magic is in the -U flag for psql:
>
> psql -U pg_superuser any_db

*Argh*!  /me slaps self on forehead.  Of course!

Jim

Re: ident authentication problem

From
Karsten Hilbert
Date:
> > > Do yourself a favour and change authentication type in pg_hba.conf to
> > >
> > > local           all              trust
> > If you follow this sage advice you'll open up your financial
> > data to anyone happening to have an account on the machine in
> > question. Anyone. Not just people who also happen to have
> > *PostgreSQL* DB accounts.
>
> How, exactly, is that?
a) it seems SQL ledger wants to store data in PostgreSQL
b) I assume it wants to store *financial* data
c) local/all/trust means *all* *local* users are *trusted*, eg
   don't require any authentication, hence system account foo
   can access *all* databases (including the SQL-ledger one)
   even though foo does not have a corresponding DB account

Assuming, that there aren't any schema level restrictions
(GRANTs) set up which may or may not be the case. Forgot to
mention that point earlier on.

Or am I missing something ?

Karsten
--
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346

Re: ident authentication problem

From
Alvaro Herrera
Date:
On Thu, Apr 22, 2004 at 01:58:14PM +0200, Karsten Hilbert wrote:

> a) it seems SQL ledger wants to store data in PostgreSQL
> b) I assume it wants to store *financial* data
> c) local/all/trust means *all* *local* users are *trusted*, eg
>    don't require any authentication, hence system account foo
>    can access *all* databases (including the SQL-ledger one)
>    even though foo does not have a corresponding DB account
>
> Assuming, that there aren't any schema level restrictions
> (GRANTs) set up which may or may not be the case. Forgot to
> mention that point earlier on.

If the data is protected by GRANT/REVOKE, a malicious (or curious) user
can work around them by connecting as the database superuser, so in
practice there's no protection at all.

--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"Acepta los honores y aplausos y perderás tu libertad"

Re: ident authentication problem

From
Shanta McBain
Date:
On April 22, 2004 04:58, Karsten Hilbert wrote:
> >
> > How, exactly, is that?
>
> a) it seems SQL ledger wants to store data in PostgreSQL

It is the prefred database but I think you can use others.

> b) I assume it wants to store *financial* data

Yes It is an accounting package.

> c) local/all/trust means *all* *local* users are *trusted*, eg
>    don't require any authentication, hence system account foo
>    can access *all* databases (including the SQL-ledger one)
>    even though foo does not have a corresponding DB account
>
> Assuming, that there aren't any schema level restrictions
> (GRANTs) set up which may or may not be the case. Forgot to
> mention that point earlier on.
>
> Or am I missing something ?

I think the SQL-ledger docs were thinking in terms of a stand alone system. My
asking this question has gotten some interesting discoution of authentication
and security. I used the suggestion on mapping the users So postgress would
be able to relate to the SQL ledger user and the allowed postgress user. This
meant that SQL-ledger may access the database without open the database to
attack. Much better solution for sure.



--
Thanks for the help.
Shanta McBain
Http://computersystemconsulting.ca Web hosting and Application Hosting.