Thread: ident client authentication
I have a problem with ident client authentication.
My server is debian sarge, pg version is 7.4.7, apache 2.0.54, mod_python 2.3. A python script is placed on the server and runs under mod_python in apache.
I make a request from firefox on a win 2k box to this server.
If I have
local all jim trust
in my pg_hba.conf file, all is well, my python script runs and delivers the expected output.
However, if i have
local all jim ident sameuser
I get FATAL: IDENT authentication failed for user jim, via mod-python debug and in postgres log.
jim is both a unix user (linux) and a postgres user.
Is this what would be expected?
How can I make ident authentication work?
Any help would be appreciated, including where this message should be posted if this list is inappropriate.
Paul Hide
My server is debian sarge, pg version is 7.4.7, apache 2.0.54, mod_python 2.3. A python script is placed on the server and runs under mod_python in apache.
I make a request from firefox on a win 2k box to this server.
If I have
local all jim trust
in my pg_hba.conf file, all is well, my python script runs and delivers the expected output.
However, if i have
local all jim ident sameuser
I get FATAL: IDENT authentication failed for user jim, via mod-python debug and in postgres log.
jim is both a unix user (linux) and a postgres user.
Is this what would be expected?
How can I make ident authentication work?
Any help would be appreciated, including where this message should be posted if this list is inappropriate.
Paul Hide
Paul Hide wrote: > I have a problem with ident client authentication. > My server is debian sarge, pg version is 7.4.7, apache 2.0.54, mod_python > 2.3. A python script is placed on the server and runs under mod_python in > apache. > However, if i have > local all jim ident sameuser > I get FATAL: IDENT authentication failed for user jim, via mod-python debug > and in postgres log. > > jim is both a unix user (linux) and a postgres user. > > Is this what would be expected? > How can I make ident authentication work? At a guess, your Python script is running as the same user as your webserver (usually apache/www-data/nobody or similar). This is why the "ident sameuser" isn't working. You'll either need to log in as the webserver user, or use password authentication. > Any help would be appreciated, including where this message should be posted > if this list is inappropriate. This list is fine. HTH -- Richard Huxton Archonet Ltd
On Tue, Nov 08, 2005 at 10:02:14 +0000, Paul Hide <paul.hide@gmail.com> wrote: > I have a problem with ident client authentication. > My server is debian sarge, pg version is 7.4.7, apache 2.0.54, mod_python > 2.3. A python script is placed on the server and runs under mod_python in > apache. > > I make a request from firefox on a win 2k box to this server. > If I have > local all jim trust > in my pg_hba.conf file, all is well, my python script runs and delivers the > expected output. > > However, if i have > local all jim ident sameuser > I get FATAL: IDENT authentication failed for user jim, via mod-python debug > and in postgres log. > > jim is both a unix user (linux) and a postgres user. > > Is this what would be expected? Does the web server run as user jim? That seems unusual. You may need to set up an ident map that allows user 'apache' (or whatever applies on your machine) to connect as postgres user 'jim'. > How can I make ident authentication work? > > Any help would be appreciated, including where this message should be posted > if this list is inappropriate. > > Paul Hide
Many thanks for your reply.
The web server runs as what/whoever it does by default. I haven't changed it.
I understand what you are getting at, because Richard Huxton pointed out to me that the script is probably running as the web server user.
The script runs as 'apache' (let us say), the connect in the python program is by 'jim'. Then what does sameuser mean in the hba file.
Paul Hide
The web server runs as what/whoever it does by default. I haven't changed it.
I understand what you are getting at, because Richard Huxton pointed out to me that the script is probably running as the web server user.
The script runs as 'apache' (let us say), the connect in the python program is by 'jim'. Then what does sameuser mean in the hba file.
Paul Hide
On 11/8/05, Bruno Wolff III <bruno@wolff.to> wrote:
On Tue, Nov 08, 2005 at 10:02:14 +0000,
Paul Hide <paul.hide@gmail.com> wrote:
> I have a problem with ident client authentication.
> My server is debian sarge, pg version is 7.4.7, apache 2.0.54, mod_python
> 2.3. A python script is placed on the server and runs under mod_python in
> apache.
>
> I make a request from firefox on a win 2k box to this server.
> If I have
> local all jim trust
> in my pg_hba.conf file, all is well, my python script runs and delivers the
> expected output.
>
> However, if i have
> local all jim ident sameuser
> I get FATAL: IDENT authentication failed for user jim, via mod-python debug
> and in postgres log.
>
> jim is both a unix user (linux) and a postgres user.
>
> Is this what would be expected?
Does the web server run as user jim? That seems unusual. You may need to set
up an ident map that allows user 'apache' (or whatever applies on your machine)
to connect as postgres user 'jim'.
> How can I make ident authentication work?
>
> Any help would be appreciated, including where this message should be posted
> if this list is inappropriate.
>
> Paul Hide
Thanks for the reply.
Is this right then? For ident to work could I, as Bruno Wolff III suggested, map the apache user to jim using pg_ident.
I suppose if I do that it might be rather risky from a security point of view. Since any script running would then run as jim.
Perhaps I shoulkd do as you suggested and use password authentication.
Paul Hide
Is this right then? For ident to work could I, as Bruno Wolff III suggested, map the apache user to jim using pg_ident.
I suppose if I do that it might be rather risky from a security point of view. Since any script running would then run as jim.
Perhaps I shoulkd do as you suggested and use password authentication.
Paul Hide
On 11/8/05, Richard Huxton <dev@archonet.com> wrote:
Paul Hide wrote:
> I have a problem with ident client authentication.
> My server is debian sarge, pg version is 7.4.7, apache 2.0.54, mod_python
> 2.3. A python script is placed on the server and runs under mod_python in
> apache.
> However, if i have
> local all jim ident sameuser
> I get FATAL: IDENT authentication failed for user jim, via mod-python debug
> and in postgres log.
>
> jim is both a unix user (linux) and a postgres user.
>
> Is this what would be expected?
> How can I make ident authentication work?
At a guess, your Python script is running as the same user as your
webserver (usually apache/www-data/nobody or similar). This is why the
"ident sameuser" isn't working.
You'll either need to log in as the webserver user, or use password
authentication.
> Any help would be appreciated, including where this message should be posted
> if this list is inappropriate.
This list is fine.
HTH
--
Richard Huxton
Archonet Ltd
On Tue, Nov 08, 2005 at 17:18:32 +0000, Paul Hide <paul.hide@gmail.com> wrote: > Many thanks for your reply. > > The web server runs as what/whoever it does by default. I haven't changed > it. > > I understand what you are getting at, because Richard Huxton pointed out to > me that the script is probably running as the web server user. > > The script runs as 'apache' (let us say), the connect in the python program > is by 'jim'. Then what does sameuser mean in the hba file. That is a special mapping that says that ident should return the same string as is used for the postgres username. Based on your description above, they aren't going to match. However, you can create custom ident maps that allow either apache or jim to connect as postgres user jim.
Paul Hide wrote: > Thanks for the reply. > > Is this right then? For ident to work could I, as Bruno Wolff III suggested, > map the apache user to jim using pg_ident. > > I suppose if I do that it might be rather risky from a security point of > view. Since any script running would then run as jim. Or *could* run as jim. > Perhaps I shoulkd do as you suggested and use password authentication. That would be my choice. -- Richard Huxton Archonet Ltd