Setup POSTGRESQL with IDENT Authentication method
Yoo... this thing takes several hours for me to make it works –____-,
I just can’t find a good example about this.
IDENT Authentication indeed really an evil one. (he said that) >:).
So here we go :
- assuming that you already have installed your own POSTGRESQL on your workstation, if no, then this is a short step you need to take :
#yum install postgresql
#yum install pgadmin3 (optional)
by default, you can install POSTGRESQL when you installed fresh Fedora 14 (ehhmm... advertise :D). For the complete step you can read this.
- For the first time using POSTGRESQL after installation you would need to do initialization
#service <postgresql_service_name> initdb
- Ok, by default if you installed new version of POSTGRESQL e.g "PostgreSQL 8.4.5 on i386-redhat-linux-gnu" it will set the local and host authentication type into IDENT. Try to open the pg_hba.conf file : (you need root acces to edit this file)
# nano /etc/var/lib/pgsql/data/pg_hba.conf
then you'll find this part in it :
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all ident
# IPv4 local connections:
host all all 127.0.0.1/32 ident
# IPv6 local connections:
host all all ::1/128 ident
The ident authentication method works by inspecting the client's operating system user name and determining the allowed database user names by using a map file that lists the permitted corresponding user name pairs. You could read more about IDENT from here.
- When we used IDENT authentication, we'll need IDENT server, it's used to answer questions like "What user initiated the connection that goes out of your port X and connects to my port Y?", now I'm using OIDENTD, to install OIDENTD you just need :
#yum install oidentd
you can read more about oidentd from here
- Ok, let's begin to editing all files that necessary to makes IDENT Authentication works, start from postgresql's ident file :
# nano /var/lib/pgqsql/data/pg_ident.conf
add this configuration at the lowest line :
# MAPNAME SYSTEM-USERNAME PG-USERNAME
test uzer postgres
now open again pg_hba.conf then add mapname into it :
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all ident map=test
# IPv4 local connections:
host all all 127.0.0.1/32 ident map=test
# IPv6 local connections:
host all all ::1/128 ident
you musn’t skip this step or you will receive error when you try to connect to your database:
LOG: provided username (postgres) and authenticated username (uzer) don't match
FATAL: Ident authentication failed for user "postgres" - Oidentd used default configuration oidentd.conf, it should be in /etc/oidentd.conf, but I don't know why, on my local /etc, oidentd.conf doesn't exist. So, I need to create it by my self with
#nano /etc/oidentd.conf
and if fill it with :
I just add these lines to oidentd.conf but sorry, I can't explain anything about this, I can't get any other details except this.default {
default {
deny spoof
deny spoof_all
deny spoof_privport
allow random_numeric
allow numeric
allow hide
}
}
user uzer {default {
allow spoof
allow spoof_all
allow random
allow hide
}
}
- Everything is set, now we are ready. Run Oidentd and postgresql services with this command in terminal :
#oidentd -C /etc/oidentd.conf
#service postgresql start
yapz.. that's all we need to used IDENT authentication method in POSTGRESQL and I am really looking forward your comment, especially about point six. Well, otherwise if you don’t to do the setup, you can just change the IDENT to md5 to save your time configuring POSTGRESQL. Thanks for reading anyway ... :)
0 comments:
Post a Comment
Post a Comment