Thread: Problem w/ IDENT authentication

Problem w/ IDENT authentication

From
Ian Pilcher
Date:
I am trying to set up IDENT authentication for Tomcat 5 on my Fedora
Core 2 system.  I've added the appropriate line to pg_hba.conf:

host    tomcat4 tomcat4 127.0.0.1       255.255.255.255 ident   sameuser

This works as expected from a console:

     [root@home webapps]# su tomcat4
     sh-2.05b$ psql -h localhost tomcat4
     Welcome to psql 7.4.2, the PostgreSQL interactive terminal.

     Type:  \copyright for distribution terms
            \h for help with SQL commands
            \? for help on internal slash commands
            \g or terminate with semicolon to execute query
            \q to quit

     tomcat4=>

In my servlet I try to get a connection:

     db = DriverManager.getConnection("jdbc:postgresql:tomcat4",
             "tomcat4", "");

And I get the following:

     org.postgresql.util.PSQLException: A connection error has occurred:
     org.postgresql.util.PSQLException: FATAL: IDENT authentication
     failed for user "tomcat4"

I've verified that the servlet does run as tomcat4 by writing a
temporary file.

TIA for any ideas!

--
========================================================================
Ian Pilcher                                        i.pilcher@comcast.net
========================================================================

Re: Problem w/ IDENT authentication

From
Paul Thomas
Date:
On 26/07/2004 09:53 Ian Pilcher wrote:
> I am trying to set up IDENT authentication for Tomcat 5 on my Fedora
> Core 2 system.  I've added the appropriate line to pg_hba.conf:
>
> host    tomcat4 tomcat4 127.0.0.1       255.255.255.255 ident   sameuser
>
> This works as expected from a console:

that's because you're connecting via tcp/ip sockets from Tomcat and unix
domain sockets from psql. Personally, I find md5 + firewall more than
sufficient.

--
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for
Business             |
| Computer Consultants         |
http://www.thomas-micro-systems-ltd.co.uk   |
+------------------------------+---------------------------------------------+

Re: Problem w/ IDENT authentication

From
Oliver Jowett
Date:
Paul Thomas wrote:
>
> On 26/07/2004 09:53 Ian Pilcher wrote:
>
>> I am trying to set up IDENT authentication for Tomcat 5 on my Fedora
>> Core 2 system.  I've added the appropriate line to pg_hba.conf:
>>
>> host    tomcat4 tomcat4 127.0.0.1       255.255.255.255 ident   sameuser
>>
>> This works as expected from a console:
>
>
> that's because you're connecting via tcp/ip sockets from Tomcat and unix
> domain sockets from psql.

He's passing '-h localhost' to psql so it should be using TCP/IP.

-O

Re: Problem w/ IDENT authentication

From
Paul Thomas
Date:
On 26/07/2004 11:28 Oliver Jowett wrote:
> [snip]
> He's passing '-h localhost' to psql so it should be using TCP/IP.

Oo, so it does.
--
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for
Business             |
| Computer Consultants         |
http://www.thomas-micro-systems-ltd.co.uk   |
+------------------------------+---------------------------------------------+

Re: Problem w/ IDENT authentication

From
"Nick Fankhauser"
Date:
Your ph_hba line and connection URL look almost identical to the ones I've
used successfully. The only difference is that I used 255.255.255.0 for the
mask. What you've done is more correct, but you might try the change if
you're down to clutching at straws.

Are there other lines in the pg_hba that might conflict? I believe they are
read top-down and if an earlier line rejects, later ones don't count.

On the other hand, I'm more suspicious that somehow tomcat isn't really
running as user tomcat4, because the psql -h worked using the same pg_hba
setup.


How are you testing the user?

If you haven't already done it, I'd try adding:

System.out.println( System.getProperty("user.name") ) ;

System.out goes to stdout.log in your tomcat log directory, so you shouldn't
need to create a temp file to see the results.

You might also try specifying localhost either by name or address in the
URL. I've seen problems with localhost being undefined before. (It was on
OS/X, but perhaps Red Hat has a similar problem.)

Regards,
     -Nick
---------------------------------------------------------------------
Nick Fankhauser

    nickf@doxpop.com  Phone 1.765.965.7363  Fax 1.765.962.9788
doxpop - Court records at your fingertips - http://www.doxpop.com/



Re: Problem w/ IDENT authentication

From
Tom Lane
Date:
Ian Pilcher <i.pilcher@comcast.net> writes:
> I am trying to set up IDENT authentication for Tomcat 5 on my Fedora
> Core 2 system.  I've added the appropriate line to pg_hba.conf:
> host    tomcat4 tomcat4 127.0.0.1       255.255.255.255 ident   sameuser

Is it possible that jdbc tries to use an IPv6 rather than IPv4
connection in your setup?

It might be worth looking in the postmaster's stderr log to see if any
more information about the connection failure is there.  We often log
information that we don't report to the client for security reasons.

            regards, tom lane

Re: Problem w/ IDENT authentication

From
Ian Pilcher
Date:
Nick Fankhauser wrote:
>
> How are you testing the user?
>
> If you haven't already done it, I'd try adding:
>
> System.out.println( System.getProperty("user.name") ) ;
>

I've added a call to System.getProperty("user.name") to the servlet.
Here is the complete source code:

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.*;

public class HelloWorld extends HttpServlet
{
     public void doGet(HttpServletRequest request,
        HttpServletResponse response)
             throws ServletException, IOException
     {

         PrintWriter out = response.getWriter();
    out.println("Running as user '" +
        System.getProperty("user.name") + "'");

         try
    {
        Class.forName("org.postgresql.Driver");
    }
    catch (ClassNotFoundException cnfe)
    {
        out.println("Error loading JDBC driver: " + cnfe);
        return;
    }

    out.println("Successfully loaded JDBC driver");

    Connection db;

    try
    {
        db = DriverManager.getConnection(
                "jdbc:postgresql://127.0.0.1/tomcat4",
            "tomcat4", "");
    }
    catch (SQLException sqle)
    {
        out.println("Error connecting to database: " + sqle);
        return;
    }

    out.println("Successfully connected to database");

    try
    {
        db.close();
    }
    catch (SQLException sqle)
    {
        out.println("Error closing database: " + sqle);
        return;
    }

    out.println("Successfully closed database connection");
     }
}

And here is the output:

Running as user 'tomcat4'
Successfully loaded JDBC driver
Error connecting to database: org.postgresql.util.PSQLException: A
connection error has occurred: org.postgresql.util.PSQLException: FATAL:
IDENT authentication failed for user "tomcat4"

--
========================================================================
Ian Pilcher                                        i.pilcher@comcast.net
========================================================================

Re: Problem w/ IDENT authentication

From
Ian Pilcher
Date:
Tom Lane wrote:
>
> Is it possible that jdbc tries to use an IPv6 rather than IPv4
> connection in your setup?

I just tried it with "jdbc:postgresql://127.0.0.1/tomcat4" with the same
result.

> It might be worth looking in the postmaster's stderr log to see if any
> more information about the connection failure is there.  We often log
> information that we don't report to the client for security reasons.

Where can I find this log?

I've cranked up the logging verbosity in postgresql.conf:


#syslog = 0            # range 0-2; 0=stdout; 1=both; 2=syslog
syslog = 2
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'

# - When to Log -

#client_min_messages = notice    # Values, in order of decreasing detail:
                #   debug5, debug4, debug3, debug2, debug1,
                #   log, info, notice, warning, error
client_min_messages = debug5

#log_min_messages = notice    # Values, in order of decreasing detail:
                #   debug5, debug4, debug3, debug2, debug1,
                #   info, notice, warning, error, log, fatal,
                #   panic
log_min_messages = debug5

#log_error_verbosity = default   # terse, default, or verbose messages
log_error_verbosity = verbose

#log_min_error_statement = panic # Values in order of increasing severity:
                 #   debug5, debug4, debug3, debug2, debug1,
                 #   info, notice, warning, error, panic(off)
log_min_error_statement = debug5

#log_min_duration_statement = -1 # Log all statements whose
                 # execution time exceeds the value, in
                 # milliseconds.  Zero prints all queries.
                 # Minus-one disables.

#silent_mode = false         # DO NOT USE without Syslog!

# - What to Log -

#debug_print_parse = false
#debug_print_rewritten = false
#debug_print_plan = false
#debug_pretty_print = false
#log_connections = false
log_connections = true
#log_duration = false
#log_pid = false
#log_statement = false
#log_timestamp = false
#log_hostname = false
#log_source_port = false

All I see in the syslog for a failed connection is:

Jul 26 11:22:48 home postgres[24968]: [30-1] LOG:  00000: connection
received: host=127.0.0.1 port=34676
Jul 26 11:22:48 home postgres[24968]: [30-2] LOCATION:  BackendFork,
postmaster.c:2395
Jul 26 11:22:51 home postgres[24968]: [31-1] FATAL:  28000: IDENT
authentication failed for user "tomcat4"
Jul 26 11:22:51 home postgres[24968]: [31-2] LOCATION:  auth_failed,
auth.c:395

This doesn't tell me anything that I didn't already know.

--
========================================================================
Ian Pilcher                                        i.pilcher@comcast.net
========================================================================

Re: Problem w/ IDENT authentication

From
Tom Lane
Date:
Ian Pilcher <i.pilcher@comcast.net> writes:
> All I see in the syslog for a failed connection is:

> Jul 26 11:22:48 home postgres[24968]: [30-1] LOG:  00000: connection
> received: host=127.0.0.1 port=34676
> Jul 26 11:22:48 home postgres[24968]: [30-2] LOCATION:  BackendFork,
> postmaster.c:2395
> Jul 26 11:22:51 home postgres[24968]: [31-1] FATAL:  28000: IDENT
> authentication failed for user "tomcat4"
> Jul 26 11:22:51 home postgres[24968]: [31-2] LOCATION:  auth_failed,
> auth.c:395

> This doesn't tell me anything that I didn't already know.

Sometimes life's like that ;-).  But actually this does tell something:
the lack of any additional log message implies that we did get a
response from the ident server, since ident_inet() will bleat about
connection failures and so forth.  What I conclude is that ident is not
reporting tomcat4 as the owner of the tomcat process, but something
else.  Perhaps root?  How is the tomcat stuff getting launched, anyway?

            regards, tom lane

Re: Problem w/ IDENT authentication

From
Ian Pilcher
Date:
Tom Lane wrote:
>
> Sometimes life's like that ;-).  But actually this does tell something:
> the lack of any additional log message implies that we did get a
> response from the ident server, since ident_inet() will bleat about
> connection failures and so forth.  What I conclude is that ident is not
> reporting tomcat4 as the owner of the tomcat process, but something
> else.  Perhaps root?  How is the tomcat stuff getting launched, anyway?
>

I've recreated this problem with a very simple standalone Java program:

import java.sql.*;
import java.io.*;

public class JdbcTest
{
     public static void main(String[] args) throws Exception
     {
         Class.forName("org.postgresql.Driver");
    Connection db = DriverManager.getConnection(args[0], args[1],
                                                     args[2]);
    db.close();
     }
}

When I run it as tomcat4 I get the same IDENT authentication failure, so
it doesn't appear to be a Tomcat issue.

Turning on pidentd logging, it appears that it simply doesn't work for
Java processes.  Insert expletive here!

Thanks for your help!

--
========================================================================
Ian Pilcher                                        i.pilcher@comcast.net
========================================================================

Re: Problem w/ IDENT authentication

From
Tom Lane
Date:
Ian Pilcher <i.pilcher@comcast.net> writes:
> Turning on pidentd logging, it appears that it simply doesn't work for
> Java processes.  Insert expletive here!

That's annoying!  Maybe you could use a different ident server?

            regards, tom lane

Re: Problem w/ IDENT authentication

From
Ian Pilcher
Date:
Tom Lane wrote:
> Ian Pilcher <i.pilcher@comcast.net> writes:
>
>>Turning on pidentd logging, it appears that it simply doesn't work for
>>Java processes.  Insert expletive here!
>
>
> That's annoying!  Maybe you could use a different ident server?
>

Fortunately, pidentd is going to be replaced by authd in Fedora Core 3.
I downloaded the authd SRPM from FC3 test 1, built and installed in on
FC2, and life is good.

I did have to edit /etc/xinetd.d/auth to turn off encrypted responses
(as I had to do with pidentd).  Do you know if it's possible to get
PostgreSQL working with encrypted ident responses?

Thanks!

--
========================================================================
Ian Pilcher                                        i.pilcher@comcast.net
========================================================================

Re: Problem w/ IDENT authentication

From
Tom Lane
Date:
Ian Pilcher <i.pilcher@comcast.net> writes:
> I did have to edit /etc/xinetd.d/auth to turn off encrypted responses
> (as I had to do with pidentd).  Do you know if it's possible to get
> PostgreSQL working with encrypted ident responses?

There's no code for that now.  Want to write it?  As long as it's not
a huge addition, I think it would be accepted.

            regards, tom lane