Hi,

I'm using PostgreSQL 7.4.3 on i386-pc-linux-gnu, compiled by GCC
i386-linux-gcc (GCC) 3.3.4 (Debian 1:3.3.4-3).

I'm fine with most things except I simply don't understand how authentication
works - I have RTFM'd and still don't get it. I have no trouble connecting
with the Postmaster on my local machine via command-line psql, but I'm not
experiencing the same joy with Python or PgAccess, both return similar errors
if I specify the Host as 'localhost':

Python:
_pg.error: FATAL: IDENT authentication failed for user "tim"
and something very similar from PgAccess, which I don't appear to be able to
cut & paste. I'm sure it's trivially simple, if anyone could point me to a
clear explanation of how to do this on a GNU system, I'd be grateful.

cheers

tim hall

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

tim hall <tech (AT) glastonburymusic (DOT) org.uk> writes:
IDENT works very differently for connections across TCP (which I suspect
is what Python/PgAccess are using) versus connections across a Unix
socket (which is what psql will use by default). I suspect you are not
running an IDENT daemon, which is needed in the first case but not the
second. But you should look in the postmaster log to find out more.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings

On Tue, 2004-08-24 at 03:15, tim hall wrote:
host=localhost uses TCP/IP. This is not the same as your local setup,
where host=<empty string>, which uses a Unix socket. If you specify
host=<empty string> to pgaccess, it should work like your local
connection and use a Unix socket (so long as the client is on the same
machine as the postmaster). As Tom pointed out, if you use a TCP/IP
connection, you need an ident server running on the client's machine to
support IDENT authentication.

By the way, you should not use IDENT authentication between machines
unless you fully trust the administration of the client machines; faking
ident responses is quite easy to do.

--
Oliver Elphick olly (AT) lfix (DOT) co.uk
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
========================================
"I saw in the night visions, and, behold, one like the
Son of man came with the clouds of heaven, and came to
the Ancient of days, and they brought him near before
him. And there was given him dominion, and glory, and
a kingdom, that all people, nations, and languages,
should serve him; his dominion is an everlasting
dominion, which shall not pass away, and his kingdom
that which shall not be destroyed."
Daniel 7:13,14


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html

Thanks Tom & Oliver for your swift replies.

Last Tuesday 24 August 2004 07:58, Oliver Elphick was like:
Ah right. I switched to trust based authentication so I could COPY my data
into place on localhost, not ideal in the long term, but it'll do while I
figure things out. The word 'server' was the missing bit from my
understanding of IDENT, I'd read the bit in the docs that says 'start the
server with the -i option' and had got as far as reading
through /etc/init.d/postgresql in the hope there was something obvious in
there :-] Perhaps it will make more sense if I look in the right place!

OK, thanks for the warning. I'll get it working the way I want it with my
local version of apache before I try to deal with external machines. I'm
going to have to be VERY sure of what I'm doing as my external server (and
entire LUG) is LAMP oriented and (rightly) rather paranoid security-wise. I
discover they had some misapprehensions about the sturdiness and maturity of
PostgreSQL.

Well, I'll continue my studies and hope to do a pypg presentation for my local
group at some point in the not too distant future. Meeting you (Oliver) at
Olympia in April helped me decide to stop flirting with LAMP and get on with
the approach that I feel comfortable with (PostgreSQL + Python).

Your support and work is very much appreciated.

cheers

tim hall

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

On Tue, 2004-08-24 at 15:15, tim hall wrote:
or with the tcp_ip option in postgresql.conf
[shouldn't that connection error message be updated?]

On the other hand IDENT authentication for local connections is very
secure; subverting that would need the local kernel to be compromised.

I think LAMP implies web browser, in which case use of IDENT
authentication is inappropriate any way. That's because the connection
is made by the webserver, which is certainly not running with the
username that wants to log into postgresql. With a browser, you need to
use md5 authentication and prompt for username and password.

Nice to hear that!

--
Oliver Elphick olly (AT) lfix (DOT) co.uk
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
========================================
"I saw in the night visions, and, behold, one like the
Son of man came with the clouds of heaven, and came to
the Ancient of days, and they brought him near before
him. And there was given him dominion, and glory, and
a kingdom, that all people, nations, and languages,
should serve him; his dominion is an everlasting
dominion, which shall not pass away, and his kingdom
that which shall not be destroyed."
Daniel 7:13,14


---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match