Bruno Wolff III wrote:
In pg_ident.conf, i put:

# MAPNAME IDENT-USERNAME PG-USERNAME
apache www-data russell
apache russell russell

This works:
psql -U russell parts_list

This doesn't:
psql -U www-data parts_list

It says: psql: FATAL: IDENT authentication failed for user "www-data"

I've tried adding -h localhost also.

How can i test the identd server for user www-data?
www-data is in /etc/passwd, and i can also su to it.


---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend

On Tue, Jan 13, 2004 at 02:38:04PM +1100, Russell Shaw wrote:
I don't think that's how it works. But, I'm just learning -- so I'll
try and get it correct (but no guarantees).

The idea is you can do this:

$ su www-data # now you are the web server user
$ psql -U russell parts_lists

So you are saying with -U that you want to connect at the *Postgres*
user "russell". Now, normally, postgres would do an ident[1] and say,
"Ok, you want to connect as user "russell" but the ident returned you
as user "www-data" so you are not authenticated."

But, by using the map:

apache www-data russell

that says (or so I'm guessing) that "ok, when ident returns 'www-data'
map that to user 'russell' and use that username for connecting
to the database." And thus you are requesting to connect as user (-U)
russell and now the ident has been mapped to user russell so you are
authenticated.

Or to say it another way, when you are user "russell" and you connect
to psql it can do an ident and say authenticate that you really are
"russell". But when you are another unix user, but you use -U to
specify the username, it can't authenticate you -- so the map allows
mapping of one unix username to another for authentication purposes.

All that, of course, has to work with pg_hba.conf.

BTW - I found it somewhat confusing because the default (at least mine)
pg_hba.conf says any user that is also a postgres user can authenticate
and then access any database when they connect from their own account.

local all all ident sameuser

Yes, but www-data is not a Postgres user -- and doesn't need to be.

[1] Also, when using psql you don't need an ident server running to
authenticate -- just like "whoami" will report your username without
using an ident server. That said, I hope someone will explain that
better with regard to how unix-domain sockets work.

I trust someone will correct any errors in the above...


--
Bill Moseley
moseley (AT) hank (DOT) org


---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match

Bill Moseley wrote:
Hi,
By a process of elimination, i think it works like this:

The script is:

<?php
$conn=pg_connect("dbname=parts_list user=russell");
if(!$conn)
exit(pg_result_error($conn));
?>

Apache accesses postgres postmaster saying it is russell (from the php
user=russell above). However, postmaster finds out by identd that the
process (apache) is user www-data. So, ident user www-data needs to be
mapped as postgres user russell in pg_ident.conf. I have in pg_hba.conf:

# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD

local all postgres ident sameuser
local all russell ident apache
host all russell 127.0.0.1 255.255.255.255 ident apache
local all all ident sameuser
host all all 127.0.0.1 255.255.255.255 ident sameuser
host all all 0.0.0.0 0.0.0.0 reject

pg_ident.conf:

# MAPNAME IDENT-USERNAME PG-USERNAME
apache www-data russell



---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

Bill Moseley wrote:
Hi,
By a process of elimination, i think it works like this:

The script is:

<?php
$conn=pg_connect("dbname=parts_list user=russell");
if(!$conn)
exit(pg_result_error($conn));
?>

Apache accesses postgres postmaster saying it is russell (from the php
user=russell above). However, postmaster finds out by identd that the
process (apache) is user www-data. So, ident user www-data needs to be
mapped as postgres user russell in pg_ident.conf. I have in pg_hba.conf:

# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD

local all postgres ident sameuser
local all russell ident apache
host all russell 127.0.0.1 255.255.255.255 ident apache
local all all ident sameuser
host all all 127.0.0.1 255.255.255.255 ident sameuser
host all all 0.0.0.0 0.0.0.0 reject

pg_ident.conf:

# MAPNAME IDENT-USERNAME PG-USERNAME
apache www-data russell
apache russell russell # for non-apache


---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo (AT) postgresql (DOT) org)