Figuring out Ident authentication for PostgreSQL 8.1

By Chee Ming on Mar 24, 2007 | In Exoweb, Postgresql | Send feedback »

It's really pretty simple actually. But the problem seems to be that the documentation that we wrote somehow skipped this issue altogether or documented it wrongly, which I guess would have caused some really confusing experience.

The problem is when the process that accesses the database is executed as a different user from the user that has the rights to the database. For example, when running Apache, you would normally execute it as the www-data user, but the database user in PostgreSQL is different, like cheeming. What we need to do now, is to tell PostgreSQL about this mapping.

We need to edit the pg_hba.conf and the pg_ident.conf files. In the pg_hba.conf file, we add a line that looks something like this:

local   my-db-name   my-db-user-name   ident my-map-name

Example:

local   depthq       cheeming          ident www

Here is where I had a problem, someone wrote that the my-db-user-name is meant to be the user of the process that accesses the database, e.g. www-data. So I did that and it didn't work. Luckily, I referred to the PostgreSQL documentation. That's a RTFM lesson for me :).

And in your pg_ident.conf file, you need something like this

my-map-name   some-user-name   my-db-user-name

Example:

www           www-data         cheeming

According to PostgreSQL client authentication documentation:

... The first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no "fall-through" or "backup": if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied. ...

So does it mean it parses the file from top to bottom? I have no idea. Putting the line right after the first local line worked fine for me.

Once you make the changes to the file, restart the PostgreSQL server and try again. You can do some debugging with the following commands:

sudo su www-data
psql depthq -U cheeming

If you managed to login, then rejoice! You have conquered Ident. :D

You need to register an account to add comments.

Comments are not allowed from anonymous visitors.

« Our crazy connected worldDell, Apple & Lenovo Laptops »