Skip site navigation (1) Skip section navigation (2)

Re: PAM ldap

From: "Kavan, Dan (IMS)" <KavanD(at)imsweb(dot)com>
To: <pgsql-admin(at)postgresql(dot)org>
Subject: Re: PAM ldap
Date: 2005-01-18 16:56:25
Message-ID: 782D2A81EC812642B857B03B506E0B4432637F@granite.omni.imsweb.com (view raw or flat)
Thread:
Lists: pgsql-admin
Thanks for the reply,

I did compile --with-pam.   Although, the $PATH for the postgres user -
who I used to compile with didn't have /lib and /lib64 in it's path.  I
don't see anything is configure.in or config.log to hint that pam isn't
configured, but I'll re-configure anyway.  Is there a way to check PAM
is configured with postgresql?  pam_unix2.so is located in
/lib(64)/security.  I was wondering if both /lib and /lib/security
needed to be in the $PATH or if just /lib/security was needed.

Also, forget about PAM for a minute.  Why does ident work locally, but
the host entry not work as easily?    ident sameuser in host doesn't
work for me.  When I think about it though it makes sense.   I'm coming
in on pgadmin iii from a windows machine and a user logged into a
windows domain.  So, no wonder, it doesn't map right.  It doesn't have
any smith user logged in at the time.   I've tried other combinations
like a map name, user ident, pg user, but it doesn't work.  ie TEST
smith smith. And then TEST smith smith in the pg_ident.conf file.  I
really don't think postgresql is talking to our LDAP server.  The only
thing it can do is local (using the unix ldap setup).   

Thanks for all your insight,
~DjK


-----Original Message-----
From: pgsql-admin-owner(at)postgresql(dot)org
[mailto:pgsql-admin-owner(at)postgresql(dot)org] On Behalf Of Dick Davies
Sent: Sunday, January 16, 2005 4:11 AM
To: PostgreSQL Admin
Subject: Re: [ADMIN] PAM ldap


* Kavan, Dan (IMS) <KavanD(at)imsweb(dot)com> [0149 18:49]:
> 
> Hi,  I'm running postgresql 8.0.rc5 on SUSE.
> I have the pg_hba.conf file configured with 
> local	all	smith	ident sameuser
> host	all	smith	ident sameuser
> 
> The way authentication works with that is that configuration is that 
> if I'm logged in as smith with my company ldap server I can get in, 
> but if I'm not directly logged in as smith, I can't get in.  Having 
> the word pam in this file at all causes an error.  I'd like to use pam

> so postgres could do it's own ldap/pam lookups, but I keep getting an 
> error that it doesn't know what pam is.  I see in the logs that the
pam server
> starts, but I still get an error.   

You didn't show the broken config, but assuming it's something like

# TYPE     DATABASE    USER        IP-ADDRESS      IP-MASK
METHOD
hostssl    all         all         127.0.0.1       255.255.255.255   pam

then perhaps you don't have pam support built into postgres?


> /etc/pam.d/postgresql
> auth    required        pam_unix2.so    nullok
> account required        pam_unix2.so

This is going to do unix auth, obviously, so you'll need to s/unix/ldap/
on that...

-- 
'You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your
coat.'
		-- Bender
Rasputin :: Jack of All Trades - Master of Nuns

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo(at)postgresql(dot)org

Responses

pgsql-admin by date

Next:From: Bruno Wolff IIIDate: 2005-01-18 20:54:41
Subject: Re: PAM ldap
Previous:From: Scott MarloweDate: 2005-01-18 15:44:50
Subject: Re: run httpd and postgresql on different machines ?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group