[Dspace-general] Dspace-general Digest, Vol 63, Issue 19

Mark H. Wood mwood at IUPUI.Edu
Fri Oct 24 14:20:56 EDT 2008 

On Thu, Oct 23, 2008 at 01:34:18AM +0530, Shashank Sahni wrote:
> Well, I don't really know how to check for ident map for the user 'postgres'
> but i think i figured out that the answer to this questions lies somewhere
> in the pg_hba.conf file..
> following is the output of my pg_hba.conf file...

That is helpful.  I believe that you entered the command:

  createuser -U postgres -d -A -P dspace

while logged on as some OS user other than "postgres".  That won't
work when using the pg_hba.conf you attached.  See discussion inline.

If you know the password for the database user "postgres" then I would
suggest trying this instead:

  createuser -h localhost -U postgres -d -A -P dspace

This form of the command will use a TCP socket rather than a Unix
socket, and thus matches a different rule which will allow you to
authenticate by password.

> -------------------------------------------------------------------------------------------------------------
> # Database administrative login by UNIX sockets
> local   all         postgres                          ident sameuser

This line should permit you to use the commandline tools as database
user 'postgres' if you are also logged on as OS user 'postgres'.  If
you are any other OS user then the 'sameuser' map will not match for
this line.
 
> # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
> 
> # "local" is for Unix domain socket connections only
> local   all         all                               ident sameuser

This line appears to grant access to ALL databases by ANY database
user when logged on as the OS user of the same name.  If you have more
than one database on this host then I would think very carefully
before keeping this line as-is.

> # IPv4 local connections:
> host    all         all         127.0.0.1/32          md5

Every IPv4 connection from the local host will be tested against this
line using MD5-hashed passwords.  That should include the
JDBC-mediated connections from DSpace.  You can use this line from the
commandline tools by specifiying a correct combination of database
user (-U) and database password, if you specify a TCP connection ("-h
localhost").

Again this one lets every valid database user connect to every database.

> # IPv6 local connections:
> host    all         all         ::1/128               md5

This line is the IPv6 equivalent of the previous one.

> host    dspace      dspace      127.0.0.1       255.255.255.255 md5

I don't believe that this line will ever be used.  The host-based
access configuration is applied as first-match, not closest-match.
The line directly under "# IPv4 local connections:" will match any
connection that this one would, and it comes earlier so it will take
any that would have matched here.

This line could become significant if it were placed before the "all
all" IPv4 line.  You need to place them in order of decreasing
specificity, or the more general lines will overshadow the more
specific.

In the Postgres 8.3 documentation, authentication is discussed in
Chapter 21.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/dspace-general/attachments/20081024/448c8e09/attachment.bin

More information about the Dspace-general mailing list