public inbox for [email protected]
help / color / mirror / Atom feedpgsql: Mention that PAM requires the user already exist in the database,
8+ messages / 6 participants
[nested] [flat]
* pgsql: Mention that PAM requires the user already exist in the database,
@ 2005-04-26 03:01 Bruce Momjian <[email protected]>
0 siblings, 1 reply; 8+ messages in thread
From: Bruce Momjian @ 2005-04-26 03:01 UTC (permalink / raw)
To: [email protected]
Log Message:
-----------
Mention that PAM requires the user already exist in the database, per
Dick Davies.
Modified Files:
--------------
pgsql/doc/src/sgml:
client-auth.sgml (r1.76 -> r1.77)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/doc/src/sgml/client-auth.sgml.diff?r1=1.76&r2=1...)
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: pgsql: Mention that PAM requires the user already exist in the database,
@ 2005-04-26 05:16 Tom Lane <[email protected]>
parent: Bruce Momjian <[email protected]>
0 siblings, 2 replies; 8+ messages in thread
From: Tom Lane @ 2005-04-26 05:16 UTC (permalink / raw)
To: Bruce Momjian <[email protected]>; +Cc: [email protected]
[email protected] (Bruce Momjian) writes:
> Mention that PAM requires the user already exist in the database, per
> Dick Davies.
I don't recall exactly what Dick suggested, but the patch as applied
seems like fairly useless verbiage. Exactly which of our other auth
methods allow users who *don't* exist in the database to log in?
And why would anyone find it surprising that this does not happen?
regards, tom lane
^ permalink raw reply [nested|flat] 8+ messages in thread
* PAM documentation
@ 2005-04-27 16:03 Bruce Momjian <[email protected]>
parent: Tom Lane <[email protected]>
1 sibling, 3 replies; 8+ messages in thread
From: Bruce Momjian @ 2005-04-27 16:03 UTC (permalink / raw)
To: Tom Lane <[email protected]>; +Cc: pgsql-docs; [email protected]
Tom Lane wrote:
> [email protected] (Bruce Momjian) writes:
> > Mention that PAM requires the user already exist in the database, per
> > Dick Davies.
>
> I don't recall exactly what Dick suggested, but the patch as applied
> seems like fairly useless verbiage. Exactly which of our other auth
> methods allow users who *don't* exist in the database to log in?
> And why would anyone find it surprising that this does not happen?
Can someone comment if having to create the database user account to use
PAM is something that people forget? Is there increased confusion
because PAM is usually used for the operating system usernames?
Attached is the addition I made to the docs recently. Is it useful?
Here is the email that prompted the addition:
http://archives.postgresql.org/pgsql-admin/2005-03/msg00189.php
--
Bruce Momjian | http://candle.pha.pa.us
[email protected] | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Index: client-auth.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.76
retrieving revision 1.77
diff -c -c -r1.76 -r1.77
*** client-auth.sgml 22 Apr 2005 04:18:58 -0000 1.76
--- client-auth.sgml 26 Apr 2005 03:01:09 -0000 1.77
***************
*** 883,890 ****
default PAM service name is <literal>postgresql</literal>. You can
optionally supply your own service name after the <literal>pam</>
key word in the file <filename>pg_hba.conf</filename>.
! For more information about PAM, please read the
! <ulink url="http://www.kernel.org/pub/linux/libs/pam/";
<productname>Linux-PAM</> Page</ulink>
and the <ulink url="http://www.sun.com/software/solaris/pam/";
<systemitem class="osname">Solaris</> PAM Page</ulink>.
--- 883,892 ----
default PAM service name is <literal>postgresql</literal>. You can
optionally supply your own service name after the <literal>pam</>
key word in the file <filename>pg_hba.conf</filename>.
! PAM is used only to validate username/password pairs.
! The user must already exist in the database before PAM
! can be used for authentication. For more information about
! PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/";
<productname>Linux-PAM</> Page</ulink>
and the <ulink url="http://www.sun.com/software/solaris/pam/";
<systemitem class="osname">Solaris</> PAM Page</ulink>.
Attachments:
[text/plain] /bjm/diff (1.5K, 2-%2Fbjm%2Fdiff)
download | inline:
Index: client-auth.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.76
retrieving revision 1.77
diff -c -c -r1.76 -r1.77
*** client-auth.sgml 22 Apr 2005 04:18:58 -0000 1.76
--- client-auth.sgml 26 Apr 2005 03:01:09 -0000 1.77
***************
*** 883,890 ****
default PAM service name is <literal>postgresql</literal>. You can
optionally supply your own service name after the <literal>pam</>
key word in the file <filename>pg_hba.conf</filename>.
! For more information about PAM, please read the
! <ulink url="http://www.kernel.org/pub/linux/libs/pam/">
<productname>Linux-PAM</> Page</ulink>
and the <ulink url="http://www.sun.com/software/solaris/pam/">
<systemitem class="osname">Solaris</> PAM Page</ulink>.
--- 883,892 ----
default PAM service name is <literal>postgresql</literal>. You can
optionally supply your own service name after the <literal>pam</>
key word in the file <filename>pg_hba.conf</filename>.
! PAM is used only to validate username/password pairs.
! The user must already exist in the database before PAM
! can be used for authentication. For more information about
! PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">
<productname>Linux-PAM</> Page</ulink>
and the <ulink url="http://www.sun.com/software/solaris/pam/">
<systemitem class="osname">Solaris</> PAM Page</ulink>.
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: PAM documentation
@ 2005-04-27 16:08 Bruce Momjian <[email protected]>
parent: Bruce Momjian <[email protected]>
2 siblings, 0 replies; 8+ messages in thread
From: Bruce Momjian @ 2005-04-27 16:08 UTC (permalink / raw)
To: Bruce Momjian <[email protected]>; +Cc: Tom Lane <[email protected]>; pgsql-docs; [email protected]
I found more information at:
http://itc.musc.edu/wiki/PostgreSQL
The issue is mentioned as:
The first thing you will need to do is create your accounts. Due to the
way postgres is coded, you will have to create accounts on the actual
database system with usernames that match the ones in your LDAP
repository. This is done with the createuser statement.
The issue is that having the user known by PAM (in this case, LDAP),
isn't enough to use PAM. You also have to have the person created in
PostgreSQL.
---------------------------------------------------------------------------
Bruce Momjian wrote:
> Tom Lane wrote:
> > [email protected] (Bruce Momjian) writes:
> > > Mention that PAM requires the user already exist in the database, per
> > > Dick Davies.
> >
> > I don't recall exactly what Dick suggested, but the patch as applied
> > seems like fairly useless verbiage. Exactly which of our other auth
> > methods allow users who *don't* exist in the database to log in?
> > And why would anyone find it surprising that this does not happen?
>
> Can someone comment if having to create the database user account to use
> PAM is something that people forget? Is there increased confusion
> because PAM is usually used for the operating system usernames?
>
> Attached is the addition I made to the docs recently. Is it useful?
>
> Here is the email that prompted the addition:
>
> http://archives.postgresql.org/pgsql-admin/2005-03/msg00189.php
>
> --
> Bruce Momjian | http://candle.pha.pa.us
> [email protected] | (610) 359-1001
> + If your life is a hard drive, | 13 Roberts Road
> + Christ can be your backup. | Newtown Square, Pennsylvania 19073
> Index: client-auth.sgml
> ===================================================================
> RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
> retrieving revision 1.76
> retrieving revision 1.77
> diff -c -c -r1.76 -r1.77
> *** client-auth.sgml 22 Apr 2005 04:18:58 -0000 1.76
> --- client-auth.sgml 26 Apr 2005 03:01:09 -0000 1.77
> ***************
> *** 883,890 ****
> default PAM service name is <literal>postgresql</literal>. You can
> optionally supply your own service name after the <literal>pam</>
> key word in the file <filename>pg_hba.conf</filename>.
> ! For more information about PAM, please read the
> ! <ulink url="http://www.kernel.org/pub/linux/libs/pam/";
> <productname>Linux-PAM</> Page</ulink>
> and the <ulink url="http://www.sun.com/software/solaris/pam/";
> <systemitem class="osname">Solaris</> PAM Page</ulink>.
> --- 883,892 ----
> default PAM service name is <literal>postgresql</literal>. You can
> optionally supply your own service name after the <literal>pam</>
> key word in the file <filename>pg_hba.conf</filename>.
> ! PAM is used only to validate username/password pairs.
> ! The user must already exist in the database before PAM
> ! can be used for authentication. For more information about
> ! PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/";
> <productname>Linux-PAM</> Page</ulink>
> and the <ulink url="http://www.sun.com/software/solaris/pam/";
> <systemitem class="osname">Solaris</> PAM Page</ulink>.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 9: the planner will ignore your desire to choose an index scan if your
> joining column's datatypes do not match
--
Bruce Momjian | http://candle.pha.pa.us
[email protected] | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: PAM documentation
@ 2005-04-27 16:18 Joshua D. Drake <[email protected]>
parent: Bruce Momjian <[email protected]>
2 siblings, 0 replies; 8+ messages in thread
From: Joshua D. Drake @ 2005-04-27 16:18 UTC (permalink / raw)
To: Bruce Momjian <[email protected]>; +Cc: Tom Lane <[email protected]>; pgsql-docs; [email protected]
Bruce Momjian wrote:
> Tom Lane wrote:
>
>>[email protected] (Bruce Momjian) writes:
>>
>>>Mention that PAM requires the user already exist in the database, per
>>>Dick Davies.
>>
>>I don't recall exactly what Dick suggested, but the patch as applied
>>seems like fairly useless verbiage. Exactly which of our other auth
>>methods allow users who *don't* exist in the database to log in?
>>And why would anyone find it surprising that this does not happen?
Never assume, always be explicit.
Sincerely,
Joshua D. Drake
Command Prompt, Inc.
--
Your PostgreSQL solutions company - Command Prompt, Inc. 1.800.492.2240
PostgreSQL Replication, Consulting, Custom Programming, 24x7 support
Managed Services, Shared and Dedication Hosting
Co-Authors: plPHP, plPerlNG - http://www.commandprompt.com/
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: PAM documentation
@ 2005-04-27 16:31 Alvaro Herrera <[email protected]>
parent: Bruce Momjian <[email protected]>
2 siblings, 1 reply; 8+ messages in thread
From: Alvaro Herrera @ 2005-04-27 16:31 UTC (permalink / raw)
To: Bruce Momjian <[email protected]>; +Cc: Tom Lane <[email protected]>; pgsql-docs; [email protected]
On Wed, Apr 27, 2005 at 12:03:54PM -0400, Bruce Momjian wrote:
> Tom Lane wrote:
> > [email protected] (Bruce Momjian) writes:
> > > Mention that PAM requires the user already exist in the database, per
> > > Dick Davies.
> >
> > I don't recall exactly what Dick suggested, but the patch as applied
> > seems like fairly useless verbiage. Exactly which of our other auth
> > methods allow users who *don't* exist in the database to log in?
> > And why would anyone find it surprising that this does not happen?
>
> Can someone comment if having to create the database user account to use
> PAM is something that people forget? Is there increased confusion
> because PAM is usually used for the operating system usernames?
>
> Attached is the addition I made to the docs recently. Is it useful?
Yes, because PAM works different on other systems, specially if it's
configured to use LDAP or some such. Though I'd rephrase with something
like
> default PAM service name is <literal>postgresql</literal>. You can
> optionally supply your own service name after the <literal>pam</>
> key word in the file <filename>pg_hba.conf</filename>.
> ! Note that PAM is only used to validate username/password pairs;
> ! therefore, the user must already exist in the database before PAM
> ! can be used for authentication. For more information about
> ! PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/";
--
Alvaro Herrera (<alvherre[@]dcc.uchile.cl>)
"Porque francamente, si para saber manejarse a uno mismo hubiera que
rendir examen... ¿Quién es el machito que tendría carnet?" (Mafalda)
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: PAM documentation
@ 2005-04-27 20:11 Bruce Momjian <[email protected]>
parent: Alvaro Herrera <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: Bruce Momjian @ 2005-04-27 20:11 UTC (permalink / raw)
To: Alvaro Herrera <[email protected]>; +Cc: Tom Lane <[email protected]>; pgsql-docs; [email protected]
Alvaro Herrera wrote:
> On Wed, Apr 27, 2005 at 12:03:54PM -0400, Bruce Momjian wrote:
> > Tom Lane wrote:
> > > [email protected] (Bruce Momjian) writes:
> > > > Mention that PAM requires the user already exist in the database, per
> > > > Dick Davies.
> > >
> > > I don't recall exactly what Dick suggested, but the patch as applied
> > > seems like fairly useless verbiage. Exactly which of our other auth
> > > methods allow users who *don't* exist in the database to log in?
> > > And why would anyone find it surprising that this does not happen?
> >
> > Can someone comment if having to create the database user account to use
> > PAM is something that people forget? Is there increased confusion
> > because PAM is usually used for the operating system usernames?
> >
> > Attached is the addition I made to the docs recently. Is it useful?
>
> Yes, because PAM works different on other systems, specially if it's
> configured to use LDAP or some such. Though I'd rephrase with something
> like
>
> > default PAM service name is <literal>postgresql</literal>. You can
> > optionally supply your own service name after the <literal>pam</>
> > key word in the file <filename>pg_hba.conf</filename>.
> > ! Note that PAM is only used to validate username/password pairs;
> > ! therefore, the user must already exist in the database before PAM
> > ! can be used for authentication. For more information about
> > ! PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/";
OK, update done:
PAM is used only to validate username/password pairs.
Therefore the user must already exist in the database before PAM
can be used for authentication.
--
Bruce Momjian | http://candle.pha.pa.us
[email protected] | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: pgsql: Mention that PAM requires the user already exist in the database,
@ 2005-04-28 22:23 Peter Eisentraut <[email protected]>
parent: Tom Lane <[email protected]>
1 sibling, 0 replies; 8+ messages in thread
From: Peter Eisentraut @ 2005-04-28 22:23 UTC (permalink / raw)
To: Tom Lane <[email protected]>; +Cc: Bruce Momjian <[email protected]>; [email protected]
Tom Lane wrote:
> I don't recall exactly what Dick suggested, but the patch as applied
> seems like fairly useless verbiage. Exactly which of our other auth
> methods allow users who *don't* exist in the database to log in?
> And why would anyone find it surprising that this does not happen?
I think the difference is that PAM carries a user list of its own, and
users might be led to believe that it's enough to create a user in the
PAM system and it will automatically exist in the database.
With the other authentication methods, there is no external user list.
--
Peter Eisentraut
http://developer.postgresql.org/~petere/
^ permalink raw reply [nested|flat] 8+ messages in thread
end of thread, other threads:[~2005-04-28 22:23 UTC | newest]
Thread overview: 8+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2005-04-26 03:01 pgsql: Mention that PAM requires the user already exist in the database, Bruce Momjian <[email protected]>
2005-04-26 05:16 ` Tom Lane <[email protected]>
2005-04-27 16:03 ` PAM documentation Bruce Momjian <[email protected]>
2005-04-27 16:08 ` Re: PAM documentation Bruce Momjian <[email protected]>
2005-04-27 16:18 ` Re: PAM documentation Joshua D. Drake <[email protected]>
2005-04-27 16:31 ` Re: PAM documentation Alvaro Herrera <[email protected]>
2005-04-27 20:11 ` Re: PAM documentation Bruce Momjian <[email protected]>
2005-04-28 22:23 ` Peter Eisentraut <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox