Skip site navigation (1) Skip section navigation (2)

Re: PAM documentation

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>,PostgreSQL-documentation <pgsql-docs(at)postgresql(dot)org>,rasputnik(at)hellooperator(dot)net
Subject: Re: PAM documentation
Date: 2005-04-27 16:08:32
Message-ID: 200504271608.j3RG8Wx08716@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-committerspgsql-docs
I found more information at:

	http://itc.musc.edu/wiki/PostgreSQL

The issue is mentioned as:

	The first thing you will need to do is create your accounts. Due to the
	way postgres is coded, you will have to create accounts on the actual
	database system with usernames that match the ones in your LDAP
	repository. This is done with the createuser statement.

The issue is that having the user known by PAM (in this case, LDAP),
isn't enough to use PAM.  You also have to have the person created in
PostgreSQL.

---------------------------------------------------------------------------

Bruce Momjian wrote:
> Tom Lane wrote:
> > momjian(at)svr1(dot)postgresql(dot)org (Bruce Momjian) writes:
> > > Mention that PAM requires the user already exist in the database, per
> > > Dick Davies.
> > 
> > I don't recall exactly what Dick suggested, but the patch as applied
> > seems like fairly useless verbiage.  Exactly which of our other auth
> > methods allow users who *don't* exist in the database to log in?
> > And why would anyone find it surprising that this does not happen?
> 
> Can someone comment if having to create the database user account to use
> PAM is something that people forget?  Is there increased confusion
> because PAM is usually used for the operating system usernames?
> 
> Attached is the addition I made to the docs recently.  Is it useful?
> 
> Here is the email that prompted the addition:
> 
> 	http://archives.postgresql.org/pgsql-admin/2005-03/msg00189.php
> 
> -- 
>   Bruce Momjian                        |  http://candle.pha.pa.us
>   pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
>   +  If your life is a hard drive,     |  13 Roberts Road
>   +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

> Index: client-auth.sgml
> ===================================================================
> RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
> retrieving revision 1.76
> retrieving revision 1.77
> diff -c -c -r1.76 -r1.77
> *** client-auth.sgml	22 Apr 2005 04:18:58 -0000	1.76
> --- client-auth.sgml	26 Apr 2005 03:01:09 -0000	1.77
> ***************
> *** 883,890 ****
>       default PAM service name is <literal>postgresql</literal>. You can
>       optionally supply your own service name after the <literal>pam</>
>       key word in the file <filename>pg_hba.conf</filename>.
> !     For more information about PAM, please read the
> !     <ulink url="http://www.kernel.org/pub/linux/libs/pam/">
>       <productname>Linux-PAM</> Page</ulink>
>       and the <ulink url="http://www.sun.com/software/solaris/pam/">
>       <systemitem class="osname">Solaris</> PAM Page</ulink>.
> --- 883,892 ----
>       default PAM service name is <literal>postgresql</literal>. You can
>       optionally supply your own service name after the <literal>pam</>
>       key word in the file <filename>pg_hba.conf</filename>.
> !     PAM is used only to validate username/password pairs.
> !     The user must already exist in the database before PAM
> !     can be used for authentication.  For more information about 
> !     PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">
>       <productname>Linux-PAM</> Page</ulink>
>       and the <ulink url="http://www.sun.com/software/solaris/pam/">
>       <systemitem class="osname">Solaris</> PAM Page</ulink>.

> 
> ---------------------------(end of broadcast)---------------------------
> TIP 9: the planner will ignore your desire to choose an index scan if your
>       joining column's datatypes do not match

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to

pgsql-docs by date

Next:From: Joshua D. DrakeDate: 2005-04-27 16:18:18
Subject: Re: PAM documentation
Previous:From: Bruce MomjianDate: 2005-04-27 16:03:54
Subject: PAM documentation

pgsql-committers by date

Next:From: Joshua D. DrakeDate: 2005-04-27 16:18:18
Subject: Re: PAM documentation
Previous:From: Bruce MomjianDate: 2005-04-27 16:03:54
Subject: PAM documentation

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group