[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sql-ledger and postgresql: HOWTO?



On Mon, 2004-08-02 at 21:48, Johann Spies wrote:
> After seeing the article in Linuxjournal about sql-ledger I wanted to
> try it out.  The article referred to the installation as a
> "breeze". That was not my experience.  I found the documentation
> confusing to say the least.

I agree with that.  (Once I got it working, I found sql-ledger to be
cumbersome and not in my opinion suitable for use as an enterprise
accounts system. )

...

> Why would the documentation suggest a scheme that is not secure?
> Trying to create more secure schemes I had a lot of problems with the
> standard Debian ident-scheme in postgresql.  Reading the FAQ of
> sql-ledger, I found:  
> 
> "  This error has everything to do with the way distros set up access
> rights for postgres. They are way too restrictive and leave you wondering what to do next.
> 
>     Do yourself a favour and change authentication type in pg_hba.conf
>     to
> 
>     local           all              trust
> 
>     until you have figured out what all this stuff in pg_hba.conf
>     does. Read about the different authentication settings and change
>     them as you see fit." 

Yuck!  Such an attitude to security makes me wonder a bit about the
whole package!  Accounting applications MUST be secure!

> Now that does not help at all!  Other documentation (README.gz)
> suggests a "safer" scheme:    
> 
> "if you use passwords to access postgres use this command
>   $ createuser -d -P sql-ledger
> "

Yes.  With web applications, passwords are the only way to go, because
otherwise you have no verification of the user's identity.

> So I did that as well as 'createdb sql-ledger' and put the following
> in /etc/pg_hba.conf:
> 
> # All IPv4 connections from localhost
> host    sql-ledger  sql-ledger 127.0.0.1  255.255.255.255   md5
> host all all 127.0.0.1   255.255.255.255   ident sameuser
> 
> After reloading the postgresql-configuration I tried 
> 
> http://localhost/sql-ledger/admin.pl  but when I try to create a
> dataset as sql-ledger I get the following error:
> 
> FATAL: IDENT authentification failed for user "sql-ledger".
> 
> Why is postgresql trying to do an IDENT-authentication?

If any other database than sql-ledger is involved, the first of those
two pg_hba.conf lines does not apply and the second is used instead. 
(If you weren't specifying any host at all, it would be trying a Unix
socket connection rather than TCP/IP and neither of those lines would
apply.)  I think that its first action is to create a database, so it is
quite likely connecting to template1 first (since that is the only
database it can be sure exists).  Try changing the database parameter of
the pg_hba.conf line to "all".


-- 
Oliver Elphick                                          olly@lfix.co.uk
Isle of Wight                              http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA  92C8 39E7 280E 3631 3F0E  1EC0 5664 7A2F A543 10EA
                 ========================================
     "All scripture is given by inspiration of God, and is 
      profitable for doctrine, for reproof, for correction, 
      for instruction in righteousness;"          
                                     II Timothy 3:16 



Reply to: