Red Hat Bugzilla – Bug 189698
authd doesn't work with postgresql
Last modified: 2013-07-02 23:09:06 EDT
Description of problem:
The authd ident service doesn't play nice with postgres for some reason.
Steps to Reproduce:
1. enable auth service in xinetd
2. start postgres service
3. run "sudo -u postgres psql -h localhost"
Error that Ident authentication failed
psql should run
Uninstalling authd and installing oidentd makes it work.
make sure that auth service configured correctly. you can't send postgresql
encrypted data (server_args without -E)
disable = no
socket_type = stream
wait = no
user = ident
cps = 4096 10
instances = UNLIMITED
server = /usr/sbin/in.authd
server_args = -t60 --xerror --os #-E
# sudo -u postgres psql -h localhost
Welcome to psql 8.1.3, the PostgreSQL interactive terminal.
So, shouldn't this be the default configuration then?
What do you have in /var/lib/pgsql/data/pg_hba.conf? Is your postgresql server
side setting correct?
(In reply to comment #3)
> What do you have in /var/lib/pgsql/data/pg_hba.conf? Is your postgresql server
> side setting correct?
I was using the default configuration, and it's been working flawlessly in
previous versions of Fedora.
Encryption is the default option in FC5....
This *is* a bug. If encryption is the default in Fedora, then postgres default
config should be made to understand it. NOTABUG doesn't fix it.
Okay, reassignig to posgresql, could we enable the encryption here?
No. To postgres, the entire point of ident authentication is to find out the real username of the
connecting process, and encrypted authd purposely prevents the requestor from finding that out. The
fact that the complainer thinks it's a bug doesn't make it so :-( ... it's just a difference of opinion about
the goals of the ident protocol.
If you really want to use ident auth on a tcp connection with an encrypting authd, you can find out what
authd will return as the "username" for each real user, and set up an ident map file to map that to
postgres user names (ie, don't use "ident sameuser"). Unfortunately I see no way for postgres to
determine that mapping automatically --- the encryption would be useless if easily reversed, no?
There's been some upstream discussion about moving away from ident as the default auth method for
tcp connections, but that won't happen before PG 8.2 at the earliest.
(In reply to comment #8)
> The fact that the complainer thinks it's a bug doesn't make it so :-( ...
True. But the fact that we ship defaults that don't work /is/ a bug. And in
this case, it's even a regression since it's been working in FC4 and before.