[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Almost done with manual for Gentoo - but need some help
- Subject: Re: Almost done with manual for Gentoo - but need some help
- From: Joseph <..hidden..>
- Date: Tue, 18 Sep 2007 16:30:48 -0600
[snip]
>
> This "triple user" concept is going to cross someone's eyes.
>
> You have 3 users here:
> UNIX system user: this is the user who owns the Apache process,
> probably apache or www-data depending on your distro (could be some
> other user though)
>
> PostgreSQL user: that user authorized to connect to the server and
> request a connection to the database
>
> Database user: user authorized to: View, modify, create/destroy data.
>
> Then LedgerSMB also has users with certain privileges in the tables
> (on top of all the above).
>
> The pg_hba.conf table is used by the server to see who is connecting
> to the server. This will normally be the UNIX user unless you pass
> the -U parameter during the connect. So the pg_hba.conf file must
> reference the owner of the web server process (because that's who is
> posting the data). This is why trust works, but md5 doesn't.
>
> If you make the Apache process owned by ledgersmb, you will at least
> be taking the first step toward being permitted to connect to the
> server -- the other part being you must pass in the md5 password (not
> sure if Postgres will force a password prompt through Apache). On a
> command line you would either use --password or hope Postgres knows to
> prompt. What might work better for you is to launch Apache via a
> wrapper that sets PGUSER and that user has a .pgpass file to pass in
> the password. (Create a UNIX user ledgersmb, create a wrapper script
> or just add two lines: PGUSER="ledgersmb";export PGUSER; to your
> apache initialization file and ensure in ledgersmb's home directory
> you have a .pgpass file with appropriate permissions, with the
> password inside).
>
> Otherwise, you could use the "ident sameuser", in which case you need
> to ensure you're running ident and ident passes the Apache process UID
> in to Postgres.
>
> Or just use trust.
>
> Once inside the server, you will connect to the appropriate table.
> That connection comes via the LedgerSMB software which passes the
> parameters from the user_conf table in the ledgersmb database. That
> is, the software, once connected to the server (as above), grabs a
> username and password from the ledgersmb database user_conf table and
> uses that to authenticate to the server the information to connect to
> a table.
>
> UNIX user (via Apache process)
> Postgres server
> appropriate table
>
> When you are creating the user/password in ledgersmb.user_conf, that
> is for the database connection, not the server connection.
>
> Now, which part was clear as mud? It may take a few readings to wrap
> your head around all the layers of authentication that go on here.
>
> HTH,
>
> David A. Bandel
Thanks David for the explanation. Indeed it is a bit complicated.
What I'm trying to do is to help you folks to write a manual for my
distribution which is Gentoo, so an average user can follow and
understand and at the end ends up with working version.
What counts is the end result, if the user follows the instruction and
it doesn't work this project is doom to fail.
You explanation might works for somebody who has some experience in
postgresql, what I need beside explanation is a code; in other words
what do I enter at the commend line?
Maybe for the manual I'll just stay with the "trust" version for now and
post my manual and you folks can add or edit if you decide to accept it.
--
#Joseph