Hello,

Am Freitag, 19. Juli 2013, 12:55:39 schrieb Mark Hayden:

> > So to summarize
> > - db user name is not required if user und which trytond runs and db-owner
> > are the same. in this case the user is 'tryton'
> 
> This is what I understand now as well.  If no user name is present then
> the user name presented to PostgreSQL for authentication would be the
> user 'tryton' if that is the account under which your trytond process is
> running.

I have set it up that way...

> Not 100% of password.  If you do not specify one in the tryton config
> then it would probably use other auhentication methods like peer, ident,
> gssapi/kerberos depending on what is specified in your pg_hba.conf file.
> 
> > -  host and socket are not required for local installation of database and
> > tryton-server
> > - pg_hba can merely remain unchanged, esp, the line
> > host    all             all             127.0.0.1/32            ident
> > as the connection is still local. Whether ident , md5 or whatever works
> > has to be tested.
> 
> Careful with this one.  In our discussions on this thread it was
> mentioned that "psycopg2" is used for the database interface so its
> conventions determine how Tryton works with the database.  If no
> hostname is supplied then the default unix domain socket is used.  Unix
> soxkets are different from localhost TCP sockets, and the entry you show
> is for the latter.  If you have a blank host then the pg_hba rule line
> that applies is the one starting with the word "local", NOT The "host"
> line with the local IP address.  In my experience the auth method is
> "peer" for UNIX/local sockets.  Peer auth simply asks the kernel what
> user is running the client process and that is it--no password is asked
> for (and the pgsql database user proabably shouldn't even have a
> password).

right, the user tryton is created without login permission, so 'peer' for the 
local entry
local   all             all                                     peer
should work. In fact, it does :-)

I changed the line 
 host    all             all             127.0.0.1/32            ident
to
 host    all             all             127.0.0.1/32            peer
and with this setting the postgres server failed to start. Probably due to the 
fact that the user 'tryton' does not have a password.
If I set the parameter 'md5' the database starts, and the login test
sudo -u tryton psql -h localhost template1 tryton
works. I have to enter the database password for the user tryton.
So it seems that md5 works for the 'host' line

> A quick Google search reveals that hostname in psycopg2 can also be the
> absolute/full path name to a UNIX socket (a UNIX socket simply being a
> special kind of file on your system such
> as /var/run/postgresql/.s.PGSQL.5432).  If you are having trouble make
> sure the path of .s.PGSQL.5432 in postgresql.conf (the
> unix_socket_directory option) matches what you specify in the tryton
> config if the default/blank hostname does not work.

The unix socket file for openSUSE is in /tmp.
But which option in /etc/trytond.conf tells the tryton server in which 
directory to look for s.PGSQL.5432?

> > So, I added db_user and password in /etc/trytond.conf, had all daemons
> > restartet, and still the connection from the client / profile manager does
> > not work. Now, this coud mean that no db exists (which is true)
> 
> if you put a db_user and db_password into tryton's config file it woud
> probably try password or md5 auth instead of peer and I am not sure if
> that would work--if you are going to supply username and password the
> method for "local" should be changed from peer to md5 in your pg_hba
> file I would think.
> 
> Also, when I set up Tryton for myself I went into pgsql and did CREATE
> DATABASE to make a new database and then assigned my tryton user as
> owner.  In my system the tryton database user is NOT granted permission
> to create databases so this was required.  Tryton takes care of creating
> the schema within the new/blank database and as the owner of the
> database the tryton user could to that once the empty database was
> created.

I tried this now as well.
As it did not work, I had a look into various log files, and found in the 
system log:
SSLError: [Errno 336265218] _ssl.c:364: error:140B0002:SSL 
routines:SSL_CTX_use_PrivateKey_file:system lib

Asking Google, it pointed out that this may be an access problem:

On the other hand, it should be readable for group tryton
dir /etc/trytond/ssl.key
-rw-r--r-- 1 root tryton 3243 Jul 18 12:14 tryton_server.key

I changed the permissions to tryton:tryton, but that was obviously not the 
problem, as the error remains. In full:

trytond[487]: Traceback (most recent call last):
trytond[487]: File "/usr/lib64/python2.7/SocketServer.py", line 582, in 
process_request_thread
trytond[487]: self.finish_request(request, client_address)
trytond[487]: File "/usr/lib64/python2.7/SocketServer.py", line 323, in 
finish_request
trytond[487]: self.RequestHandlerClass(request, client_address, self)
trytond[487]: File "/usr/lib64/python2.7/SocketServer.py", line 636, in 
__init__
trytond[487]: self.setup()
trytond[487]: File "/usr/lib/python2.7/site-
packages/trytond/protocols/jsonrpc.py", line 258, in setup
trytond[487]: self.request = SSLSocket(self.request)
trytond[487]: File "/usr/lib/python2.7/site-
packages/trytond/protocols/sslsocket.py", line 13, in SSLSocket
trytond[487]: ssl_version=ssl.PROTOCOL_SSLv23)
trytond[487]: File "/usr/lib64/python2.7/ssl.py", line 381, in wrap_socket
trytond[487]: ciphers=ciphers)
trytond[487]: File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
trytond[487]: ciphers)
trytond[487]: SSLError: [Errno 336265218] _ssl.c:364: error:140B0002:SSL 
routines:SSL_CTX_use_PrivateKey_file:system lib

So, here I'm stuck again....

Reply via email to