Thread: Problem w/ IDENT authentication
I am trying to set up IDENT authentication for Tomcat 5 on my Fedora Core 2 system. I've added the appropriate line to pg_hba.conf: host tomcat4 tomcat4 127.0.0.1 255.255.255.255 ident sameuser This works as expected from a console: [root@home webapps]# su tomcat4 sh-2.05b$ psql -h localhost tomcat4 Welcome to psql 7.4.2, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit tomcat4=> In my servlet I try to get a connection: db = DriverManager.getConnection("jdbc:postgresql:tomcat4", "tomcat4", ""); And I get the following: org.postgresql.util.PSQLException: A connection error has occurred: org.postgresql.util.PSQLException: FATAL: IDENT authentication failed for user "tomcat4" I've verified that the servlet does run as tomcat4 by writing a temporary file. TIA for any ideas! -- ======================================================================== Ian Pilcher i.pilcher@comcast.net ========================================================================
On 26/07/2004 09:53 Ian Pilcher wrote: > I am trying to set up IDENT authentication for Tomcat 5 on my Fedora > Core 2 system. I've added the appropriate line to pg_hba.conf: > > host tomcat4 tomcat4 127.0.0.1 255.255.255.255 ident sameuser > > This works as expected from a console: that's because you're connecting via tcp/ip sockets from Tomcat and unix domain sockets from psql. Personally, I find md5 + firewall more than sufficient. -- Paul Thomas +------------------------------+---------------------------------------------+ | Thomas Micro Systems Limited | Software Solutions for Business | | Computer Consultants | http://www.thomas-micro-systems-ltd.co.uk | +------------------------------+---------------------------------------------+
Paul Thomas wrote: > > On 26/07/2004 09:53 Ian Pilcher wrote: > >> I am trying to set up IDENT authentication for Tomcat 5 on my Fedora >> Core 2 system. I've added the appropriate line to pg_hba.conf: >> >> host tomcat4 tomcat4 127.0.0.1 255.255.255.255 ident sameuser >> >> This works as expected from a console: > > > that's because you're connecting via tcp/ip sockets from Tomcat and unix > domain sockets from psql. He's passing '-h localhost' to psql so it should be using TCP/IP. -O
On 26/07/2004 11:28 Oliver Jowett wrote: > [snip] > He's passing '-h localhost' to psql so it should be using TCP/IP. Oo, so it does. -- Paul Thomas +------------------------------+---------------------------------------------+ | Thomas Micro Systems Limited | Software Solutions for Business | | Computer Consultants | http://www.thomas-micro-systems-ltd.co.uk | +------------------------------+---------------------------------------------+
Your ph_hba line and connection URL look almost identical to the ones I've used successfully. The only difference is that I used 255.255.255.0 for the mask. What you've done is more correct, but you might try the change if you're down to clutching at straws. Are there other lines in the pg_hba that might conflict? I believe they are read top-down and if an earlier line rejects, later ones don't count. On the other hand, I'm more suspicious that somehow tomcat isn't really running as user tomcat4, because the psql -h worked using the same pg_hba setup. How are you testing the user? If you haven't already done it, I'd try adding: System.out.println( System.getProperty("user.name") ) ; System.out goes to stdout.log in your tomcat log directory, so you shouldn't need to create a temp file to see the results. You might also try specifying localhost either by name or address in the URL. I've seen problems with localhost being undefined before. (It was on OS/X, but perhaps Red Hat has a similar problem.) Regards, -Nick --------------------------------------------------------------------- Nick Fankhauser nickf@doxpop.com Phone 1.765.965.7363 Fax 1.765.962.9788 doxpop - Court records at your fingertips - http://www.doxpop.com/
Ian Pilcher <i.pilcher@comcast.net> writes: > I am trying to set up IDENT authentication for Tomcat 5 on my Fedora > Core 2 system. I've added the appropriate line to pg_hba.conf: > host tomcat4 tomcat4 127.0.0.1 255.255.255.255 ident sameuser Is it possible that jdbc tries to use an IPv6 rather than IPv4 connection in your setup? It might be worth looking in the postmaster's stderr log to see if any more information about the connection failure is there. We often log information that we don't report to the client for security reasons. regards, tom lane
Nick Fankhauser wrote: > > How are you testing the user? > > If you haven't already done it, I'd try adding: > > System.out.println( System.getProperty("user.name") ) ; > I've added a call to System.getProperty("user.name") to the servlet. Here is the complete source code: import java.io.*; import javax.servlet.*; import javax.servlet.http.*; import java.sql.*; public class HelloWorld extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.println("Running as user '" + System.getProperty("user.name") + "'"); try { Class.forName("org.postgresql.Driver"); } catch (ClassNotFoundException cnfe) { out.println("Error loading JDBC driver: " + cnfe); return; } out.println("Successfully loaded JDBC driver"); Connection db; try { db = DriverManager.getConnection( "jdbc:postgresql://127.0.0.1/tomcat4", "tomcat4", ""); } catch (SQLException sqle) { out.println("Error connecting to database: " + sqle); return; } out.println("Successfully connected to database"); try { db.close(); } catch (SQLException sqle) { out.println("Error closing database: " + sqle); return; } out.println("Successfully closed database connection"); } } And here is the output: Running as user 'tomcat4' Successfully loaded JDBC driver Error connecting to database: org.postgresql.util.PSQLException: A connection error has occurred: org.postgresql.util.PSQLException: FATAL: IDENT authentication failed for user "tomcat4" -- ======================================================================== Ian Pilcher i.pilcher@comcast.net ========================================================================
Tom Lane wrote: > > Is it possible that jdbc tries to use an IPv6 rather than IPv4 > connection in your setup? I just tried it with "jdbc:postgresql://127.0.0.1/tomcat4" with the same result. > It might be worth looking in the postmaster's stderr log to see if any > more information about the connection failure is there. We often log > information that we don't report to the client for security reasons. Where can I find this log? I've cranked up the logging verbosity in postgresql.conf: #syslog = 0 # range 0-2; 0=stdout; 1=both; 2=syslog syslog = 2 #syslog_facility = 'LOCAL0' #syslog_ident = 'postgres' # - When to Log - #client_min_messages = notice # Values, in order of decreasing detail: # debug5, debug4, debug3, debug2, debug1, # log, info, notice, warning, error client_min_messages = debug5 #log_min_messages = notice # Values, in order of decreasing detail: # debug5, debug4, debug3, debug2, debug1, # info, notice, warning, error, log, fatal, # panic log_min_messages = debug5 #log_error_verbosity = default # terse, default, or verbose messages log_error_verbosity = verbose #log_min_error_statement = panic # Values in order of increasing severity: # debug5, debug4, debug3, debug2, debug1, # info, notice, warning, error, panic(off) log_min_error_statement = debug5 #log_min_duration_statement = -1 # Log all statements whose # execution time exceeds the value, in # milliseconds. Zero prints all queries. # Minus-one disables. #silent_mode = false # DO NOT USE without Syslog! # - What to Log - #debug_print_parse = false #debug_print_rewritten = false #debug_print_plan = false #debug_pretty_print = false #log_connections = false log_connections = true #log_duration = false #log_pid = false #log_statement = false #log_timestamp = false #log_hostname = false #log_source_port = false All I see in the syslog for a failed connection is: Jul 26 11:22:48 home postgres[24968]: [30-1] LOG: 00000: connection received: host=127.0.0.1 port=34676 Jul 26 11:22:48 home postgres[24968]: [30-2] LOCATION: BackendFork, postmaster.c:2395 Jul 26 11:22:51 home postgres[24968]: [31-1] FATAL: 28000: IDENT authentication failed for user "tomcat4" Jul 26 11:22:51 home postgres[24968]: [31-2] LOCATION: auth_failed, auth.c:395 This doesn't tell me anything that I didn't already know. -- ======================================================================== Ian Pilcher i.pilcher@comcast.net ========================================================================
Ian Pilcher <i.pilcher@comcast.net> writes: > All I see in the syslog for a failed connection is: > Jul 26 11:22:48 home postgres[24968]: [30-1] LOG: 00000: connection > received: host=127.0.0.1 port=34676 > Jul 26 11:22:48 home postgres[24968]: [30-2] LOCATION: BackendFork, > postmaster.c:2395 > Jul 26 11:22:51 home postgres[24968]: [31-1] FATAL: 28000: IDENT > authentication failed for user "tomcat4" > Jul 26 11:22:51 home postgres[24968]: [31-2] LOCATION: auth_failed, > auth.c:395 > This doesn't tell me anything that I didn't already know. Sometimes life's like that ;-). But actually this does tell something: the lack of any additional log message implies that we did get a response from the ident server, since ident_inet() will bleat about connection failures and so forth. What I conclude is that ident is not reporting tomcat4 as the owner of the tomcat process, but something else. Perhaps root? How is the tomcat stuff getting launched, anyway? regards, tom lane
Tom Lane wrote: > > Sometimes life's like that ;-). But actually this does tell something: > the lack of any additional log message implies that we did get a > response from the ident server, since ident_inet() will bleat about > connection failures and so forth. What I conclude is that ident is not > reporting tomcat4 as the owner of the tomcat process, but something > else. Perhaps root? How is the tomcat stuff getting launched, anyway? > I've recreated this problem with a very simple standalone Java program: import java.sql.*; import java.io.*; public class JdbcTest { public static void main(String[] args) throws Exception { Class.forName("org.postgresql.Driver"); Connection db = DriverManager.getConnection(args[0], args[1], args[2]); db.close(); } } When I run it as tomcat4 I get the same IDENT authentication failure, so it doesn't appear to be a Tomcat issue. Turning on pidentd logging, it appears that it simply doesn't work for Java processes. Insert expletive here! Thanks for your help! -- ======================================================================== Ian Pilcher i.pilcher@comcast.net ========================================================================
Ian Pilcher <i.pilcher@comcast.net> writes: > Turning on pidentd logging, it appears that it simply doesn't work for > Java processes. Insert expletive here! That's annoying! Maybe you could use a different ident server? regards, tom lane
Tom Lane wrote: > Ian Pilcher <i.pilcher@comcast.net> writes: > >>Turning on pidentd logging, it appears that it simply doesn't work for >>Java processes. Insert expletive here! > > > That's annoying! Maybe you could use a different ident server? > Fortunately, pidentd is going to be replaced by authd in Fedora Core 3. I downloaded the authd SRPM from FC3 test 1, built and installed in on FC2, and life is good. I did have to edit /etc/xinetd.d/auth to turn off encrypted responses (as I had to do with pidentd). Do you know if it's possible to get PostgreSQL working with encrypted ident responses? Thanks! -- ======================================================================== Ian Pilcher i.pilcher@comcast.net ========================================================================
Ian Pilcher <i.pilcher@comcast.net> writes: > I did have to edit /etc/xinetd.d/auth to turn off encrypted responses > (as I had to do with pidentd). Do you know if it's possible to get > PostgreSQL working with encrypted ident responses? There's no code for that now. Want to write it? As long as it's not a huge addition, I think it would be accepted. regards, tom lane