Red Hat Bugzilla – Bug 189698
authd doesn't work with postgresql
Last modified: 2013-07-02 23:09:06 EDT
Description of problem: The authd ident service doesn't play nice with postgres for some reason. oidentd works. How reproducible: Steps to Reproduce: 1. enable auth service in xinetd 2. start postgres service 3. run "sudo -u postgres psql -h localhost" Actual results: Error that Ident authentication failed Expected results: psql should run Additional info: Uninstalling authd and installing oidentd makes it work.
make sure that auth service configured correctly. you can't send postgresql encrypted data (server_args without -E) service auth { disable = no socket_type = stream wait = no user = ident cps = 4096 10 instances = UNLIMITED server = /usr/sbin/in.authd server_args = -t60 --xerror --os #-E } # sudo -u postgres psql -h localhost Welcome to psql 8.1.3, the PostgreSQL interactive terminal.
So, shouldn't this be the default configuration then?
What do you have in /var/lib/pgsql/data/pg_hba.conf? Is your postgresql server side setting correct?
(In reply to comment #3) > What do you have in /var/lib/pgsql/data/pg_hba.conf? Is your postgresql server > side setting correct? I was using the default configuration, and it's been working flawlessly in previous versions of Fedora.
Encryption is the default option in FC5....
This *is* a bug. If encryption is the default in Fedora, then postgres default config should be made to understand it. NOTABUG doesn't fix it.
Okay, reassignig to posgresql, could we enable the encryption here?
No. To postgres, the entire point of ident authentication is to find out the real username of the connecting process, and encrypted authd purposely prevents the requestor from finding that out. The fact that the complainer thinks it's a bug doesn't make it so :-( ... it's just a difference of opinion about the goals of the ident protocol. If you really want to use ident auth on a tcp connection with an encrypting authd, you can find out what authd will return as the "username" for each real user, and set up an ident map file to map that to postgres user names (ie, don't use "ident sameuser"). Unfortunately I see no way for postgres to determine that mapping automatically --- the encryption would be useless if easily reversed, no? There's been some upstream discussion about moving away from ident as the default auth method for tcp connections, but that won't happen before PG 8.2 at the earliest.
(In reply to comment #8) > The fact that the complainer thinks it's a bug doesn't make it so :-( ... True. But the fact that we ship defaults that don't work /is/ a bug. And in this case, it's even a regression since it's been working in FC4 and before.