Re: PAM ldap

Thanks for the reply,

I did compile --with-pam. Although, the $PATH for the postgres user -
who I used to compile with didn't have /lib and /lib64 in it's path. I
don't see anything is configure.in or config.log to hint that pam isn't
configured, but I'll re-configure anyway. Is there a way to check PAM
is configured with postgresql? pam_unix2.so is located in
/lib(64)/security. I was wondering if both /lib and /lib/security
needed to be in the $PATH or if just /lib/security was needed.

Also, forget about PAM for a minute. Why does ident work locally, but
the host entry not work as easily? ident sameuser in host doesn't
work for me. When I think about it though it makes sense. I'm coming
in on pgadmin iii from a windows machine and a user logged into a
windows domain. So, no wonder, it doesn't map right. It doesn't have
any smith user logged in at the time. I've tried other combinations
like a map name, user ident, pg user, but it doesn't work. ie TEST
smith smith. And then TEST smith smith in the pg_ident.conf file. I
really don't think postgresql is talking to our LDAP server. The only
thing it can do is local (using the unix ldap setup).

Thanks for all your insight,
~DjK

-----Original Message-----
From: pgsql-admin-owner(at)postgresql(dot)org
[mailto:pgsql-admin-owner(at)postgresql(dot)org] On Behalf Of Dick Davies
Sent: Sunday, January 16, 2005 4:11 AM
To: PostgreSQL Admin
Subject: Re: [ADMIN] PAM ldap

* Kavan, Dan (IMS) <KavanD(at)imsweb(dot)com> [0149 18:49]:
>
> Hi, I'm running postgresql 8.0.rc5 on SUSE.
> I have the pg_hba.conf file configured with
> local all smith ident sameuser
> host all smith ident sameuser
>
> The way authentication works with that is that configuration is that
> if I'm logged in as smith with my company ldap server I can get in,
> but if I'm not directly logged in as smith, I can't get in. Having
> the word pam in this file at all causes an error. I'd like to use pam

> so postgres could do it's own ldap/pam lookups, but I keep getting an
> error that it doesn't know what pam is. I see in the logs that the
pam server
> starts, but I still get an error.

You didn't show the broken config, but assuming it's something like

# TYPE DATABASE USER IP-ADDRESS IP-MASK
METHOD
hostssl all all 127.0.0.1 255.255.255.255 pam

then perhaps you don't have pam support built into postgres?

> /etc/pam.d/postgresql
> auth required pam_unix2.so nullok
> account required pam_unix2.so

This is going to do unix auth, obviously, so you'll need to s/unix/ldap/
on that...

--
'You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your
coat.'
-- Bender
Rasputin :: Jack of All Trades - Master of Nuns

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo(at)postgresql(dot)org