On Sat, Feb 04, 2006 at 09:24:36AM +0800, Syan Tan wrote: > thanks, will take a look. Don't quite understand about the pg_hba.conf, Well, the main point is that in order to add a GNUmed user to the database one does NOT have to fiddle with pg_hba.conf ever again. Have root or postgres do it once and be done with it. From then on one only needs to add users to the database itself in the appropriate way. That appropriate way is encapsulated by gm_create_user().
> but you're saying it's per group rather than per database definition of local > and host type of database access, No, it is still per database. Or rather per "group of databases" namely those for which a PG group exists with the same name as the database - of which the user then needs to be a member. Which is taken care of by gm_create_user(). > which is sending of md5 hashes of passwords yes > (this isn't challenge-authentication, is it ?; no, not the way I read the docs > can some one spoof the md5 password packets ?) It's hard because the client does not simply send the password md5()ed but must md5() the password AND a salt value that was sent to it from the server for this very connection. That way snooped MD5 values cannot simply be reused. They could be reused only when the salt is the same again. The salt is 4 characters, IOW 32 bit. So salt reuse should in theory only be possible once within 2^32 connections. > I've been trying to get kerberos working lately ( mainly because my gsasl is > saying something > about credentials when I try to get ldap to work with default configuration). > Postgres does kerberos too , doesn't it? According to the docs, yes. Karsten -- GPG key ID E4071346 @ wwwkeys.pgp.net E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346 _______________________________________________ Gnumed-devel mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnumed-devel
