Participants
David Link
David Link
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1David LinkDavid Link
May 11, 2006
#2Tom LaneTom Laneto David Link (#1)
May 11, 2006
#3David LinkDavid Linkto Tom Lane (#2)
May 12, 2006
#4Tom LaneTom Laneto David Link (#3)
May 12, 2006

ident authentication with named localhost

Started by David Linkalmost 20 years ago4 messagesgeneral
Jump to latest
#1David Link
David Link
dlink@soundscan.com

Hi,

I am having trouble with ident authentication. Everything is working
fine except when specifying host for connections on the local machine.

pg_hba.conf:

local all all ident wp
host all all 10.97.8.0/24 ident wp

pg_ident.conf:

wp dlink dlink
wp dlink firstalert
wp dlink postgres
wp dlink video
wp postgres postgres
wp wwwrun firstalert
wp wwwrun video

If the db is on mach1 and the Unix user is dlink the following works

dlink@mach1$ psql -d mydb -U postgres
dlink@mach2$ psql -d mydb -U postgres -h mach1 # from remote machine

While the following does not: (nor with perl DBI)

dlink@mach1$ psql -d mydb -U postgres -h mach1
dlink@mach1$ psql -d mydb -U postgres -h localhost
dlink@mach1$ psql -d mydb -U postgres -h 10.97.8.244
dlink@mach1$ psql -d mydb -U postgres -h 127.0.0.1

If I add the following to pg_hba.conf it works of course:

host all all 10.97.8.244/32 trust

But this does not:

host all all 10.97.8.244/32 ident wp.

If I try as the postgres Unix user then it works:

postgres@mach1$ psql -d mydb -U postgres -h mach1

We are using:
SUSE 9 / Linux 2.6.5-7
Postgresql 8.1
And LDAP.

The problem might be due to how identd works on localhost with LDAP.
The postgres user is found in /etc/passwd, while the dlink user is not.

Incidentally, get this, on a second machine (with same software) what's
described here as not working, works intermittently. Now it worked.
Now it didn't. For dlink user. Weird.

Does anyone know how I can test ident? I can telnet 10.97.8.244 113.
The server port I know is 5432, but what's the client port to give?

Any and all help greatly appreciated.
Thanks.
David Link

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: David Link (#1)
Re: ident authentication with named localhost

David Link <dlink@soundscan.com> writes:

Does anyone know how I can test ident?

I'd try sniffing the IP traffic to and from it with a packet sniffer
and/or tracing the daemon's system calls with strace. Manually invoking
the daemon isn't going to prove a lot, you want to watch its reaction
to Postgres.

I believe some flavors of identd have debug tracing options, too
... check the man page ...

regards, tom lane

#3David Link
David Link
dlink@soundscan.com
In reply to: Tom Lane (#2)
Re: ident authentication with named localhost

Tom Lane wrote:

David Link <dlink@soundscan.com> writes:

Does anyone know how I can test ident?

I'd try sniffing the IP traffic to and from it with a packet sniffer
and/or tracing the daemon's system calls with strace. Manually invoking
the daemon isn't going to prove a lot, you want to watch its reaction
to Postgres.

Thanks for your suggestion. I'm new to the concept of packet sniffing
and tracing. Can you suggest where I should go or what I should read to
better understand this?

I believe some flavors of identd have debug tracing options, too
... check the man page ...

Too bad no one else has reported this and already found an answer.
Maybe I should move to md5 authentication, however I wanted to avoid
having to type passwords.

Thanks,

#4Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: David Link (#3)
Re: ident authentication with named localhost

David Link <dlink@soundscan.com> writes:

Thanks for your suggestion. I'm new to the concept of packet sniffing
and tracing. Can you suggest where I should go or what I should read to
better understand this?

"man strace" ... strace is probably easier to use for this purpose than
a packet sniffer, and it'll generate a more complete view of what the
daemon is doing, too.

regards, tom lane

← Back to Topics