Re: sql-ledger and postgresql: HOWTO?
On Mon, 2004-08-02 at 21:48, Johann Spies wrote:
> After seeing the article in Linuxjournal about sql-ledger I wanted to
> try it out. The article referred to the installation as a
> "breeze". That was not my experience. I found the documentation
> confusing to say the least.
I agree with that. (Once I got it working, I found sql-ledger to be
cumbersome and not in my opinion suitable for use as an enterprise
accounts system. )
...
> Why would the documentation suggest a scheme that is not secure?
> Trying to create more secure schemes I had a lot of problems with the
> standard Debian ident-scheme in postgresql. Reading the FAQ of
> sql-ledger, I found:
>
> " This error has everything to do with the way distros set up access
> rights for postgres. They are way too restrictive and leave you wondering what to do next.
>
> Do yourself a favour and change authentication type in pg_hba.conf
> to
>
> local all trust
>
> until you have figured out what all this stuff in pg_hba.conf
> does. Read about the different authentication settings and change
> them as you see fit."
Yuck! Such an attitude to security makes me wonder a bit about the
whole package! Accounting applications MUST be secure!
> Now that does not help at all! Other documentation (README.gz)
> suggests a "safer" scheme:
>
> "if you use passwords to access postgres use this command
> $ createuser -d -P sql-ledger
> "
Yes. With web applications, passwords are the only way to go, because
otherwise you have no verification of the user's identity.
> So I did that as well as 'createdb sql-ledger' and put the following
> in /etc/pg_hba.conf:
>
> # All IPv4 connections from localhost
> host sql-ledger sql-ledger 127.0.0.1 255.255.255.255 md5
> host all all 127.0.0.1 255.255.255.255 ident sameuser
>
> After reloading the postgresql-configuration I tried
>
> http://localhost/sql-ledger/admin.pl but when I try to create a
> dataset as sql-ledger I get the following error:
>
> FATAL: IDENT authentification failed for user "sql-ledger".
>
> Why is postgresql trying to do an IDENT-authentication?
If any other database than sql-ledger is involved, the first of those
two pg_hba.conf lines does not apply and the second is used instead.
(If you weren't specifying any host at all, it would be trying a Unix
socket connection rather than TCP/IP and neither of those lines would
apply.) I think that its first action is to create a database, so it is
quite likely connecting to template1 first (since that is the only
database it can be sure exists). Try changing the database parameter of
the pg_hba.conf line to "all".
--
Oliver Elphick olly@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
========================================
"All scripture is given by inspiration of God, and is
profitable for doctrine, for reproof, for correction,
for instruction in righteousness;"
II Timothy 3:16
Reply to: