0

May 24

Postgres Ident authentication failure - the whys and the wherefore’s

Posted by Ajay

I was trying  to setup postgres the other day and I came across an exception “Ident authentication failed for user postgres”. This led me to look into how postgres defines it’s configuration.

The pg_hba.conf is a configuration file that provides the first level of access to postgres, providing client authentication. This file provides a gateway by defining the ip addresses that connect to a database and the databases that are available. Postgres listens for connection using unix socket. A simple netstat | grep postgres reveals the socket.

This configuration file has a set of records. Every record talks about who connects to which database and the authentication method to be used. Postgres stops processing when it finds the first line that matches the connection.

The general syntax of a record is as follows:

<TYPE> <DATABASE> <USER> <CIDR-ADDRESS> <METHOD>

  • The type may be local, host, hostssl or hostnossl based on whether a connection attempt is made by Unix type sockets, TCP/IP socket, TCP/IP with SSL, TCP/IP without SSL.
  • The database could be ‘all ‘ to mean all databases or a specific database.
  • The user defines the user who is allowed to connect, in postgres there is no clear distinction between user and a group.
  • The method defines the authentication method. ‘trust’ allows unconditional connection, ‘reject’ is an unconditional rejection, ‘md5′ supports md5 based authentication, ‘password’ requires clients to send an unencrypted password, ‘gss’ uses GSSAPI for authentication, ‘krb5′ uses kerberos, ‘ident’ obtain the operating system user name and check if it matches the database user name, ‘ldap’ uses LDAP based authentication, ‘cert’ for SSL client certification

Consider for example
———————————————————————————————–

local   all         all                               trust
--------------------------------------------------------------------

This allows any user to connect to any database under any user name using Unix domain sockets.

Now coming to the problem at hand. The default value for method when postgres is installed is ident sameuser. This means that the postgres user needs to be the same as that of the user account. Since postgres database super user usually does not match the user name of login account, we get the ident failure problem. Simple solution, use any of the other methods, like say password.

Tags:

Copyright © 2010 “An Image of My Life” blog series All rights reserved. Theme by Laptop Geek.

Total hits: 38633