[DOCS] PAM documentation
Tom Lane wrote: > [EMAIL PROTECTED] (Bruce Momjian) writes: > > Mention that PAM requires the user already exist in the database, per > > Dick Davies. > > I don't recall exactly what Dick suggested, but the patch as applied > seems like fairly useless verbiage. Exactly which of our other auth > methods allow users who *don't* exist in the database to log in? > And why would anyone find it surprising that this does not happen? Can someone comment if having to create the database user account to use PAM is something that people forget? Is there increased confusion because PAM is usually used for the operating system usernames? Attached is the addition I made to the docs recently. Is it useful? Here is the email that prompted the addition: http://archives.postgresql.org/pgsql-admin/2005-03/msg00189.php -- Bruce Momjian| http://candle.pha.pa.us [email protected] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 Index: client-auth.sgml === RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v retrieving revision 1.76 retrieving revision 1.77 diff -c -c -r1.76 -r1.77 *** client-auth.sgml22 Apr 2005 04:18:58 - 1.76 --- client-auth.sgml26 Apr 2005 03:01:09 - 1.77 *** *** 883,890 default PAM service name is postgresql. You can optionally supply your own service name after the pam key word in the file pg_hba.conf. ! For more information about PAM, please read the ! http://www.kernel.org/pub/linux/libs/pam/";> Linux-PAM Page and the http://www.sun.com/software/solaris/pam/";> Solaris PAM Page. --- 883,892 default PAM service name is postgresql. You can optionally supply your own service name after the pam key word in the file pg_hba.conf. ! PAM is used only to validate username/password pairs. ! The user must already exist in the database before PAM ! can be used for authentication. For more information about ! PAM, please read the http://www.kernel.org/pub/linux/libs/pam/";> Linux-PAM Page and the http://www.sun.com/software/solaris/pam/";> Solaris PAM Page. ---(end of broadcast)--- TIP 9: the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [DOCS] PAM documentation
I found more information at: http://itc.musc.edu/wiki/PostgreSQL The issue is mentioned as: The first thing you will need to do is create your accounts. Due to the way postgres is coded, you will have to create accounts on the actual database system with usernames that match the ones in your LDAP repository. This is done with the createuser statement. The issue is that having the user known by PAM (in this case, LDAP), isn't enough to use PAM. You also have to have the person created in PostgreSQL. --- Bruce Momjian wrote: > Tom Lane wrote: > > [EMAIL PROTECTED] (Bruce Momjian) writes: > > > Mention that PAM requires the user already exist in the database, per > > > Dick Davies. > > > > I don't recall exactly what Dick suggested, but the patch as applied > > seems like fairly useless verbiage. Exactly which of our other auth > > methods allow users who *don't* exist in the database to log in? > > And why would anyone find it surprising that this does not happen? > > Can someone comment if having to create the database user account to use > PAM is something that people forget? Is there increased confusion > because PAM is usually used for the operating system usernames? > > Attached is the addition I made to the docs recently. Is it useful? > > Here is the email that prompted the addition: > > http://archives.postgresql.org/pgsql-admin/2005-03/msg00189.php > > -- > Bruce Momjian| http://candle.pha.pa.us > [email protected] | (610) 359-1001 > + If your life is a hard drive, | 13 Roberts Road > + Christ can be your backup.| Newtown Square, Pennsylvania 19073 > Index: client-auth.sgml > === > RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v > retrieving revision 1.76 > retrieving revision 1.77 > diff -c -c -r1.76 -r1.77 > *** client-auth.sgml 22 Apr 2005 04:18:58 - 1.76 > --- client-auth.sgml 26 Apr 2005 03:01:09 - 1.77 > *** > *** 883,890 > default PAM service name is postgresql. You can > optionally supply your own service name after the pam > key word in the file pg_hba.conf. > ! For more information about PAM, please read the > ! http://www.kernel.org/pub/linux/libs/pam/";> > Linux-PAM Page > and the http://www.sun.com/software/solaris/pam/";> > Solaris PAM Page. > --- 883,892 > default PAM service name is postgresql. You can > optionally supply your own service name after the pam > key word in the file pg_hba.conf. > ! PAM is used only to validate username/password pairs. > ! The user must already exist in the database before PAM > ! can be used for authentication. For more information about > ! PAM, please read the url="http://www.kernel.org/pub/linux/libs/pam/";> > Linux-PAM Page > and the http://www.sun.com/software/solaris/pam/";> > Solaris PAM Page. > > ---(end of broadcast)--- > TIP 9: the planner will ignore your desire to choose an index scan if your > joining column's datatypes do not match -- Bruce Momjian| http://candle.pha.pa.us [email protected] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 ---(end of broadcast)--- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [DOCS] PAM documentation
Bruce Momjian wrote: Tom Lane wrote: [EMAIL PROTECTED] (Bruce Momjian) writes: Mention that PAM requires the user already exist in the database, per Dick Davies. I don't recall exactly what Dick suggested, but the patch as applied seems like fairly useless verbiage. Exactly which of our other auth methods allow users who *don't* exist in the database to log in? And why would anyone find it surprising that this does not happen? Never assume, always be explicit. Sincerely, Joshua D. Drake Command Prompt, Inc. -- Your PostgreSQL solutions company - Command Prompt, Inc. 1.800.492.2240 PostgreSQL Replication, Consulting, Custom Programming, 24x7 support Managed Services, Shared and Dedication Hosting Co-Authors: plPHP, plPerlNG - http://www.commandprompt.com/ ---(end of broadcast)--- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
Re: [DOCS] PAM documentation
On Wed, Apr 27, 2005 at 12:03:54PM -0400, Bruce Momjian wrote: > Tom Lane wrote: > > [EMAIL PROTECTED] (Bruce Momjian) writes: > > > Mention that PAM requires the user already exist in the database, per > > > Dick Davies. > > > > I don't recall exactly what Dick suggested, but the patch as applied > > seems like fairly useless verbiage. Exactly which of our other auth > > methods allow users who *don't* exist in the database to log in? > > And why would anyone find it surprising that this does not happen? > > Can someone comment if having to create the database user account to use > PAM is something that people forget? Is there increased confusion > because PAM is usually used for the operating system usernames? > > Attached is the addition I made to the docs recently. Is it useful? Yes, because PAM works different on other systems, specially if it's configured to use LDAP or some such. Though I'd rephrase with something like > default PAM service name is postgresql. You can > optionally supply your own service name after the pam > key word in the file pg_hba.conf. > ! Note that PAM is only used to validate username/password pairs; > ! therefore, the user must already exist in the database before PAM > ! can be used for authentication. For more information about > ! PAM, please read the url="http://www.kernel.org/pub/linux/libs/pam/";> -- Alvaro Herrera (<[EMAIL PROTECTED]>) "Porque francamente, si para saber manejarse a uno mismo hubiera que rendir examen... ¿Quién es el machito que tendría carnet?" (Mafalda) ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster
Re: [DOCS] PAM documentation
Alvaro Herrera wrote: > On Wed, Apr 27, 2005 at 12:03:54PM -0400, Bruce Momjian wrote: > > Tom Lane wrote: > > > [EMAIL PROTECTED] (Bruce Momjian) writes: > > > > Mention that PAM requires the user already exist in the database, per > > > > Dick Davies. > > > > > > I don't recall exactly what Dick suggested, but the patch as applied > > > seems like fairly useless verbiage. Exactly which of our other auth > > > methods allow users who *don't* exist in the database to log in? > > > And why would anyone find it surprising that this does not happen? > > > > Can someone comment if having to create the database user account to use > > PAM is something that people forget? Is there increased confusion > > because PAM is usually used for the operating system usernames? > > > > Attached is the addition I made to the docs recently. Is it useful? > > Yes, because PAM works different on other systems, specially if it's > configured to use LDAP or some such. Though I'd rephrase with something > like > > > default PAM service name is postgresql. You can > > optionally supply your own service name after the pam > > key word in the file pg_hba.conf. > > ! Note that PAM is only used to validate username/password pairs; > > ! therefore, the user must already exist in the database before PAM > > ! can be used for authentication. For more information about > > ! PAM, please read the > url="http://www.kernel.org/pub/linux/libs/pam/";> OK, update done: PAM is used only to validate username/password pairs. Therefore the user must already exist in the database before PAM can be used for authentication. -- Bruce Momjian| http://candle.pha.pa.us [email protected] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster
