Skip site navigation (1) Skip section navigation (2)

Re: Help with access control settings in pg_hba.conf --

From: Victor Danilchenko <danilche(at)cs(dot)umass(dot)edu>
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: Help with access control settings in pg_hba.conf --
Date: 2005-01-27 15:18:04
Message-ID: Pine.OSX.4.50.0501271014330.17513-100000@phobos.cs.umass.edu (view raw or flat)
Thread:
Lists: pgsql-admin
On Thu, 27 Jan 2005, Victor Danilchenko wrote:

>	Hi,
>
>	I am trying to set up a database server with multiple DB
>clusters, so that in each cluster a number of users have their own
>database each, with passwordless access (we can trust the network
>security in our installation). The following is what seems like it
>*should* work:
>
>host    all             all     127.0.0.1       255.255.255.255 password
>host    sameuser        all     xxx.xxx.xxx.0   255.255.255.128 ident sameuser
>host    all             @fac    xxx.xxx.xxx.0   255.255.255.128 trust
>
>	The second line ("host sameuser") is the problem. It doesn't
>work -- when tryign to connect, I keep getting error messages:
>
>$ whoami
>testuser
>$ psql -h db-edlab -p 7666 testuser testuser
>psql: FATAL:  IDENT authentication failed for user "testuser"

	I forgot to mention that yes, I do have identd daemon running on
the connecting system -- from the RHL pidentd RPM.

>	If I replace 'ident sameuser' with 'trust' there, it works fine
>-- but then any user can access anyone else's database, providing they
>request the same password.
>
>	The idea is that each user should be able to access only their
>database, only as themselves, without password -- but I can't figure out
>what I am doing wrong. Any help? if what I am trying to do is
>impossible, is there any other way to achieve such a goal -- i.e.
>passwordless access that allows each user to access only their own
>database over the network?
>
>
>	BTW, as long as I am writing, a somewhat related question, which
>is not nearly as important as the previous one.
>
>	I launch multiple postmatser processes, each servicing a
>dedicated DB cluster on a dedicated port. The problem is that I only
>ever see *one* local UNIX socket (/tmp/.s.PGSQL.<portnumber>) file.
>There is a .lock file created corresponding to each server/port combo,
>but it looks like each subsequent instance of the postmaster kills the
>previous instance's UNIX socket. Is this how it should be -- and if so,
>are there any pg_ctl options I can pass in to make it simply not create
>the UNIX sockets altogether, so that only network operations are
>supported? AT the moment, I am doing admin access though the loopback
>device, so it's not a big issue.
>
>

-- 
|  Victor  Danilchenko  +------------------------------------+
| danilche(at)cs(dot)umass(dot)edu | I don't have to outrun the bear -- |
|   CSCF   |   5-4231   |     I just have to outrun YOU!     |

In response to

Responses

pgsql-admin by date

Next:From: Victor DanilchenkoDate: 2005-01-27 17:22:06
Subject: Re: Help with access control settings in pg_hba.conf --
Previous:From: Victor DanilchenkoDate: 2005-01-27 15:01:48
Subject: Help with access control settings in pg_hba.conf -- AAAARGH!

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group