Bug 189698
Summary: | authd doesn't work with postgresql | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Behdad Esfahbod <behdad> |
Component: | postgresql | Assignee: | Tom Lane <tgl> |
Status: | CLOSED NOTABUG | QA Contact: | David Lawrence <dkl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | hhorak, kzak |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-08-11 12:10:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Behdad Esfahbod
2006-04-23 11:11:14 UTC
make sure that auth service configured correctly. you can't send postgresql encrypted data (server_args without -E) service auth { disable = no socket_type = stream wait = no user = ident cps = 4096 10 instances = UNLIMITED server = /usr/sbin/in.authd server_args = -t60 --xerror --os #-E } # sudo -u postgres psql -h localhost Welcome to psql 8.1.3, the PostgreSQL interactive terminal. So, shouldn't this be the default configuration then? What do you have in /var/lib/pgsql/data/pg_hba.conf? Is your postgresql server side setting correct? (In reply to comment #3) > What do you have in /var/lib/pgsql/data/pg_hba.conf? Is your postgresql server > side setting correct? I was using the default configuration, and it's been working flawlessly in previous versions of Fedora. Encryption is the default option in FC5.... This *is* a bug. If encryption is the default in Fedora, then postgres default config should be made to understand it. NOTABUG doesn't fix it. Okay, reassignig to posgresql, could we enable the encryption here? No. To postgres, the entire point of ident authentication is to find out the real username of the connecting process, and encrypted authd purposely prevents the requestor from finding that out. The fact that the complainer thinks it's a bug doesn't make it so :-( ... it's just a difference of opinion about the goals of the ident protocol. If you really want to use ident auth on a tcp connection with an encrypting authd, you can find out what authd will return as the "username" for each real user, and set up an ident map file to map that to postgres user names (ie, don't use "ident sameuser"). Unfortunately I see no way for postgres to determine that mapping automatically --- the encryption would be useless if easily reversed, no? There's been some upstream discussion about moving away from ident as the default auth method for tcp connections, but that won't happen before PG 8.2 at the earliest. (In reply to comment #8) > The fact that the complainer thinks it's a bug doesn't make it so :-( ... True. But the fact that we ship defaults that don't work /is/ a bug. And in this case, it's even a regression since it's been working in FC4 and before. |