Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight

Re^3: Trouble Connecting to PostgreSQL with DBD::Pg

by erix (Vicar)
on Nov 15, 2010 at 13:18 UTC ( #871467=note: print w/replies, xml ) Need Help??

in reply to Re^2: Trouble Connecting to PostgreSQL with DBD::Pg
in thread Trouble Connecting to PostgreSQL with DBD::Pg

Although of course I cannot garantee to spot any errors, you could show your pg_hba.conf here. (make sure you copy & paste the correct one; check with select current_setting('hba_file')).

Replies are listed 'Best First'.
Re^4: Trouble Connecting to PostgreSQL with DBD::Pg
by vendion (Scribe) on Nov 15, 2010 at 23:52 UTC

    Thank you for offering to help out with my problem, here is my pg_hba.conf file

    # PostgreSQL Client Authentication Configuration File # =================================================== # # Refer to the "Client Authentication" section in the # PostgreSQL documentation for a complete description # of this file. A short synopsis follows. # # This file controls: which hosts are allowed to connect, how clients # are authenticated, which PostgreSQL user names they can use, which # databases they can access. Records take one of these forms: # # local DATABASE USER METHOD [OPTIONS] # host DATABASE USER CIDR-ADDRESS METHOD [OPTIONS] # hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTIONS] # hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTIONS] # # (The uppercase items must be replaced by actual values.) # # The first field is the connection type: "local" is a Unix-domain soc +ket, # "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" i +s an # SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socke +t. # # DATABASE can be "all", "sameuser", "samerole", a database name, or # a comma-separated list thereof. # # USER can be "all", a user name, a group name prefixed with "+", or # a comma-separated list thereof. In both the DATABASE and USER field +s # you can also write a file name prefixed with "@" to include names fr +om # a separate file. # # CIDR-ADDRESS specifies the set of hosts the record matches. # It is made up of an IP address and a CIDR mask that is an integer # (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies # the number of significant bits in the mask. Alternatively, you can +write # an IP address and netmask in separate columns to specify the set of +hosts. # # METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", " +krb5", # "ident", "pam", "ldap" or "cert". Note that "password" sends passwo +rds # in clear text; "md5" is preferred since it sends encrypted passwords +. # # OPTIONS are a set of options for the authentication in the format # NAME=VALUE. The available options depend on the different authentica +tion # methods - refer to the "Client Authentication" section in the docume +ntation # for a list of which options are available for which authentication m +ethods. # # Database and user names containing spaces, commas, quotes and other +special # characters must be quoted. Quoting one of the keywords "all", "sameu +ser" or # "samerole" makes the name lose its special character, and just match + a # database or username with that name. # # This file is read on server startup and when the postmaster receives # a SIGHUP signal. If you edit the file on a running system, you have # to SIGHUP the postmaster for the changes to take effect. You can us +e # "pg_ctl reload" to do that. # Put your actual configuration here # ---------------------------------- # # If you want to allow non-local connections, you need to add more # "host" records. In that case you will also need to make PostgreSQL l +isten # on a non-local interface via the listen_addresses configuration para +meter, # or via the -i or -h command line switches. # # TYPE DATABASE USER CIDR-ADDRESS METHOD # "local" is for Unix domain socket connections only local all all ident # IPv4 local connections: host all all ident # IPv6 local connections: host all all ::1/128 ident

      OK, now (mentally) get rid of all those comment blocks above the last 10 lines. Read the PostgreSQL documentation related to this file (linked elsewhere in this thread). Understand it.

      Look at what remains in the file:

      CommentTypeDatabaseUserRemote Address / NetmaskAuthentication Method
      "local", Unix domain socketlocalall databasesall users(does not apply)ident
      IPv4 localhosthostall databasesall users127.0.0.1/32ident
      IPv6 localhosthostall databasesall users::1/128ident

      There are exactly three ways to connect to your PostgreSQL server: The local Unix domain socket, a TCP/IPv4 connection via, and a TCP/IPv6 connection via ::1. All of those connections are "protected" by the ident authentication. Does your server run an ident daemon and is it configured not to return nonsense to ident requests coming in via TCP/IP?

      For debugging, change the authentication method for the three entries to "trust". This disables all authentication checks except for the remote address. Restart the PostgreSQL server.

      In a next step, create a user / update an existing user with a password, and switch to "md5" authentication. After the required PostgreSQL restart, you will need to connect with a valid username / password combination.

      As long as the users working on the server are trustworthy, and PostgreSQL is configured to listen only to localhost connections, that should be sufficient. Choose other authentication methods if the server is exposed to the internet or you don't trust your users.


      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

      Yeah, you probably have no ident server.

      afoken's advice is good (but careful: his URLs point to 9.0, which is slightly different). A few extra remarks:

      Server restart can be avoided with:

      select pg_reload_conf(); -- returns true on success

      or, on the commandline: pg_ctl reload ...

      Maybe not necessary now, but further down the road you may find it handy to organise access (permanently or temporary) via the ~/.pgpass file, and/or the PGPASSFILE environment variable, which you can have pointing to any .pgpass-like file. More info here;

      Finally, read the Pg manual caveat on 'ident':

      Heed the warning: The Identification Protocol is not intended as an authorization or access control protocol. --RFC 1413

        Thank you for the help, I am to get MD5 auth working and that is good enough for me

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://871467]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (11)
As of 2017-03-23 17:04 GMT
Find Nodes?
    Voting Booth?
    Should Pluto Get Its Planethood Back?

    Results (290 votes). Check out past polls.