Hello, Am Freitag, 19. Juli 2013, 12:55:39 schrieb Mark Hayden:
> > So to summarize > > - db user name is not required if user und which trytond runs and db-owner > > are the same. in this case the user is 'tryton' > > This is what I understand now as well. If no user name is present then > the user name presented to PostgreSQL for authentication would be the > user 'tryton' if that is the account under which your trytond process is > running. I have set it up that way... > Not 100% of password. If you do not specify one in the tryton config > then it would probably use other auhentication methods like peer, ident, > gssapi/kerberos depending on what is specified in your pg_hba.conf file. > > > - host and socket are not required for local installation of database and > > tryton-server > > - pg_hba can merely remain unchanged, esp, the line > > host all all 127.0.0.1/32 ident > > as the connection is still local. Whether ident , md5 or whatever works > > has to be tested. > > Careful with this one. In our discussions on this thread it was > mentioned that "psycopg2" is used for the database interface so its > conventions determine how Tryton works with the database. If no > hostname is supplied then the default unix domain socket is used. Unix > soxkets are different from localhost TCP sockets, and the entry you show > is for the latter. If you have a blank host then the pg_hba rule line > that applies is the one starting with the word "local", NOT The "host" > line with the local IP address. In my experience the auth method is > "peer" for UNIX/local sockets. Peer auth simply asks the kernel what > user is running the client process and that is it--no password is asked > for (and the pgsql database user proabably shouldn't even have a > password). right, the user tryton is created without login permission, so 'peer' for the local entry local all all peer should work. In fact, it does :-) I changed the line host all all 127.0.0.1/32 ident to host all all 127.0.0.1/32 peer and with this setting the postgres server failed to start. Probably due to the fact that the user 'tryton' does not have a password. If I set the parameter 'md5' the database starts, and the login test sudo -u tryton psql -h localhost template1 tryton works. I have to enter the database password for the user tryton. So it seems that md5 works for the 'host' line > A quick Google search reveals that hostname in psycopg2 can also be the > absolute/full path name to a UNIX socket (a UNIX socket simply being a > special kind of file on your system such > as /var/run/postgresql/.s.PGSQL.5432). If you are having trouble make > sure the path of .s.PGSQL.5432 in postgresql.conf (the > unix_socket_directory option) matches what you specify in the tryton > config if the default/blank hostname does not work. The unix socket file for openSUSE is in /tmp. But which option in /etc/trytond.conf tells the tryton server in which directory to look for s.PGSQL.5432? > > So, I added db_user and password in /etc/trytond.conf, had all daemons > > restartet, and still the connection from the client / profile manager does > > not work. Now, this coud mean that no db exists (which is true) > > if you put a db_user and db_password into tryton's config file it woud > probably try password or md5 auth instead of peer and I am not sure if > that would work--if you are going to supply username and password the > method for "local" should be changed from peer to md5 in your pg_hba > file I would think. > > Also, when I set up Tryton for myself I went into pgsql and did CREATE > DATABASE to make a new database and then assigned my tryton user as > owner. In my system the tryton database user is NOT granted permission > to create databases so this was required. Tryton takes care of creating > the schema within the new/blank database and as the owner of the > database the tryton user could to that once the empty database was > created. I tried this now as well. As it did not work, I had a look into various log files, and found in the system log: SSLError: [Errno 336265218] _ssl.c:364: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib Asking Google, it pointed out that this may be an access problem: On the other hand, it should be readable for group tryton dir /etc/trytond/ssl.key -rw-r--r-- 1 root tryton 3243 Jul 18 12:14 tryton_server.key I changed the permissions to tryton:tryton, but that was obviously not the problem, as the error remains. In full: trytond[487]: Traceback (most recent call last): trytond[487]: File "/usr/lib64/python2.7/SocketServer.py", line 582, in process_request_thread trytond[487]: self.finish_request(request, client_address) trytond[487]: File "/usr/lib64/python2.7/SocketServer.py", line 323, in finish_request trytond[487]: self.RequestHandlerClass(request, client_address, self) trytond[487]: File "/usr/lib64/python2.7/SocketServer.py", line 636, in __init__ trytond[487]: self.setup() trytond[487]: File "/usr/lib/python2.7/site- packages/trytond/protocols/jsonrpc.py", line 258, in setup trytond[487]: self.request = SSLSocket(self.request) trytond[487]: File "/usr/lib/python2.7/site- packages/trytond/protocols/sslsocket.py", line 13, in SSLSocket trytond[487]: ssl_version=ssl.PROTOCOL_SSLv23) trytond[487]: File "/usr/lib64/python2.7/ssl.py", line 381, in wrap_socket trytond[487]: ciphers=ciphers) trytond[487]: File "/usr/lib64/python2.7/ssl.py", line 141, in __init__ trytond[487]: ciphers) trytond[487]: SSLError: [Errno 336265218] _ssl.c:364: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib So, here I'm stuck again....
