Open search page
Hello, I’m DocuDroid!
Open Ask AI page
Submitting feedback
Thank you for rating our AI Search!
We would be grateful if you could share your thoughts so we can improve our AI Search for you and other readers.
GitHub

Ident authentication

Andrey Aksenov

The ident authentication method determines the client’s operating system user name by querying an Ident service on the client host and comparing it with the requested database user name. Optionally, you can configure user name mapping in the pg_ident.conf file to translate operating system user names to database user names.

The ident method is supported only for TCP/IP connections. To use ident, the client host must run an Ident service (for example, oidentd) that reports the operating system user associated with the connection and listens on port 113. If a local Unix socket connection is attempted with ident configured, Greengage DB automatically uses peer authentication instead.

This topic explains how to configure ident authentication so that the gpadmin user can connect over a local TCP/IP connection, and optionally how to set up user name mapping to allow other operating system users to connect as gpadmin.

IMPORTANT

The Identification Protocol only verifies the identity of a user or process and does not determine what actions they are allowed to perform. It is not an authorization or access control mechanism.

This authentication method is suitable only for closed networks where each client machine is tightly controlled, and the machine running the Ident service must be trusted. If the client machine is untrusted or compromised, an attacker could run arbitrary software on port 113 and return any user name they choose.

Install oidentd

The ident authentication method requires an Ident service on the client host to report the operating system user associated with each TCP/IP connection. This procedure describes how to install and start the oidentd service on the Greengage DB master host running Ubuntu:

  1. Connect to the master host and switch to the gpadmin user:

    $ sudo su - gpadmin

  2. Install the oidentd package:

    $ sudo apt install oidentd

  3. Enable and start the oidentd service:

    $ sudo systemctl enable oidentd
$ sudo systemctl start oidentd

  4. Verify that the oidentd service is running:

    $ sudo systemctl status oidentd

    Expected output:

    Active: active (running)

Configure ident authentication

Edit pg_hba.conf

The pg_hba.conf file controls which authentication methods are used for incoming client connections based on the connection type, database, user, and client address. In this procedure, you add a rule that enables ident authentication for the gpadmin user when connecting from the local host:

  1. Open pg_hba.conf for editing:

    $ vi $MASTER_DATA_DIRECTORY/pg_hba.conf

  2. Add the following line to the file:

    # connection-type  database  user     address       auth-method
host               all       gpadmin  127.0.0.1/32  ident

    This entry configures Greengage DB to use the ident authentication method for TCP/IP connections from the local host for the gpadmin user.

  3. Save and close the file.

  4. Reload the configuration with gpstop to apply the changes:

    $ gpstop -u

Test ident authentication

After configuring ident authentication, you can connect to Greengage DB over a local TCP/IP connection without providing a password, as long as you are logged in as the gpadmin operating system user.

Connect to the database over a local TCP/IP connection:

$ psql postgres -U gpadmin -h 127.0.0.1 -p 5432

A successful connection produces the following output:

psql (9.4.26)
Type "help" for help.

postgres=#

If you attempt to connect as a different operating system user using the same command, the following error is returned:

psql: FATAL:  Ident authentication failed for user "gpadmin"

Configure user mapping

Edit pg_hba.conf and pg_ident.conf

You can optionally configure user name mapping to translate operating system user names to database user names by using the pg_ident.conf file:

  1. Open pg_hba.conf for editing:

    $ vi $MASTER_DATA_DIRECTORY/pg_hba.conf

  2. Modify the ident entry added in the previous section as follows:

    # connection-type  database  user     address       auth-method  auth-options
host               all       gpadmin  127.0.0.1/32  ident        map=testmap

    The auth-options field specifies that testmap is used to associate an operating system user name with a Greengage DB user name. The actual mapping is defined in the pg_ident.conf file.

  3. Open pg_ident.conf for editing:

    $ vi $MASTER_DATA_DIRECTORY/pg_ident.conf

  4. Add the following entry:

    # MAPNAME  SYSTEM-USERNAME    PG-USERNAME
testmap    /^(.*admin)$       gpadmin

    SYSTEM-USERNAME specifies a regular expression pattern that matches any operating system user whose name ends with admin. These users can connect to a database as the gpadmin database user.

  5. Save and close the file.

  6. Reload the configuration using gpstop to apply the changes:

    $ gpstop -u

Test ident authentication

After configuring user name mapping, you can connect to Greengage DB over a local TCP/IP connection without providing a password, as long as you are logged in as an operating system user whose name ends with admin. For example, the following command can be used:

$ psql postgres -U gpadmin -h 127.0.0.1 -p 5432

Connection results:

  • Connection succeeds when run as the gpadmin system user.

  • Connection succeeds when run as the dbadmin system user.

  • Connection fails when run as the testuser system user.

Previous
SSL certificate
Next
PAM