From: | "Kavan, Dan (IMS)" <KavanD(at)imsweb(dot)com> |
---|---|
To: | <pgsql-admin(at)postgresql(dot)org> |
Subject: | Re: PAM ldap |
Date: | 2005-01-18 16:56:25 |
Message-ID: | 782D2A81EC812642B857B03B506E0B4432637F@granite.omni.imsweb.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
Thanks for the reply,
I did compile --with-pam. Although, the $PATH for the postgres user -
who I used to compile with didn't have /lib and /lib64 in it's path. I
don't see anything is configure.in or config.log to hint that pam isn't
configured, but I'll re-configure anyway. Is there a way to check PAM
is configured with postgresql? pam_unix2.so is located in
/lib(64)/security. I was wondering if both /lib and /lib/security
needed to be in the $PATH or if just /lib/security was needed.
Also, forget about PAM for a minute. Why does ident work locally, but
the host entry not work as easily? ident sameuser in host doesn't
work for me. When I think about it though it makes sense. I'm coming
in on pgadmin iii from a windows machine and a user logged into a
windows domain. So, no wonder, it doesn't map right. It doesn't have
any smith user logged in at the time. I've tried other combinations
like a map name, user ident, pg user, but it doesn't work. ie TEST
smith smith. And then TEST smith smith in the pg_ident.conf file. I
really don't think postgresql is talking to our LDAP server. The only
thing it can do is local (using the unix ldap setup).
Thanks for all your insight,
~DjK
-----Original Message-----
From: pgsql-admin-owner(at)postgresql(dot)org
[mailto:pgsql-admin-owner(at)postgresql(dot)org] On Behalf Of Dick Davies
Sent: Sunday, January 16, 2005 4:11 AM
To: PostgreSQL Admin
Subject: Re: [ADMIN] PAM ldap
* Kavan, Dan (IMS) <KavanD(at)imsweb(dot)com> [0149 18:49]:
>
> Hi, I'm running postgresql 8.0.rc5 on SUSE.
> I have the pg_hba.conf file configured with
> local all smith ident sameuser
> host all smith ident sameuser
>
> The way authentication works with that is that configuration is that
> if I'm logged in as smith with my company ldap server I can get in,
> but if I'm not directly logged in as smith, I can't get in. Having
> the word pam in this file at all causes an error. I'd like to use pam
> so postgres could do it's own ldap/pam lookups, but I keep getting an
> error that it doesn't know what pam is. I see in the logs that the
pam server
> starts, but I still get an error.
You didn't show the broken config, but assuming it's something like
# TYPE DATABASE USER IP-ADDRESS IP-MASK
METHOD
hostssl all all 127.0.0.1 255.255.255.255 pam
then perhaps you don't have pam support built into postgres?
> /etc/pam.d/postgresql
> auth required pam_unix2.so nullok
> account required pam_unix2.so
This is going to do unix auth, obviously, so you'll need to s/unix/ldap/
on that...
--
'You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your
coat.'
-- Bender
Rasputin :: Jack of All Trades - Master of Nuns
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo(at)postgresql(dot)org
From | Date | Subject | |
---|---|---|---|
Next Message | Bruno Wolff III | 2005-01-18 20:54:41 | Re: PAM ldap |
Previous Message | Scott Marlowe | 2005-01-18 15:44:50 | Re: run httpd and postgresql on different machines ? |