[pgpool-general: 3100] Re: pg_md5 issue
Tatsuo Ishii
ishii at postgresql.org
Tue Aug 12 11:35:38 JST 2014
> Ishii-san,
>
> Arrigato for your assistance. I understand this much better, but may I ask you about the use of pool_hba.conf? I know it is needed if enable_pool_hba is on, but if that parameter is on, do I still need the pool_passwd file?
Yes.
> And if it is needed, should I just create it using pg_md5 with the --md5auth option?
Yes.
Also please remember that you add an entry for the user into
pg_hba.conf on *all* PostgreSQL. And you need to enable md5 auth on
PostgreSQL as well.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
> Again, arrigato,
> Jay
>
> Sent from my iPad
>
>> On Aug 11, 2014, at 9:26 PM, Tatsuo Ishii <ishii at postgresql.org> wrote:
>>
>> Jay,
>>
>>> Ishii-san,
>>>
>>> I'm not certain what you mean by "is pool_hba.conf setup correctly?" I
>>> did not change it from the defaults, but yes enable_pool_hba = on.
>>>
>>> I had seen settings on the internet where people had used --md5auth
>>> option for pg_md5, but I thought md5 was the default. When I used that
>>> option, it wrote out the response to the pool_passwd file. Without
>>> that option, it writes to stdout. The problem is that the output
>>> changes with and without the --md5auth option, but I do understand
>>> that with enable_pool_hba = on, I don't really need pool_passwd.
>>
>> pool_passwd, enable_pool_hba, and pool_hba.conf are for md5
>> authentication against PostgreSQL (and clients). pcp also uses md5
>> encrypted password stored in pcp.conf. However, the format of md5
>> password in pool_passwd and pcp.conf are different. pg_md5 emits those
>> different formats of md5 password.
>>
>> So, if you just need md5 password for pcp.conf, do not use --md5auth
>> option.
>>
>>> I had
>>> to get some value into the pcp.conf filem and if I copied the value
>>> delivered to stdout into the file, it worked.
>>
>> Yes, this is the correct way to set up pcp.conf.
>>
>>> If I copied the value
>>> written by pg_md5 into the pool_passwd file instead into pcp.conf, I
>>> get AuthorizationError when I try to run any pcp commands.
>>>
>>> I'm really not certain if I'm doing anything wrong here.
>>>
>>> --
>>> Jay
>>>
>>> On 8/11/2014 11:36 AM, Tatsuo Ishii wrote:
>>>>> Hi all,
>>>>>
>>>>> I was trying to document my procedure for setting up pgpool for my QA
>>>>> folks when I stumbled across an issue with pg_md5.
>>>>>
>>>>> If I issue: /usr/bin/pg_md5 --md5auth <password> where <password> is
>>>>> the user's actual password, pg_md5 writes an entry to the pool_passwd
>>>>> file like:
>>>>>
>>>>> postgres:md5a004267ea750b79e526724833f42133
>>>>>
>>>>> but if I issue the command as /usr/bin/pg_md5 <password> what gets
>>>>> spit out to terminal is:
>>>>>
>>>>> 953674ba4731447e6a7ddaf32b308679
>>>>>
>>>>> Now, I know md5 can have multiple strings evaluate to the same answer,
>>>>> but the value written into the pool_passwd file does NOT work,
>>>> Are you sure that:
>>>>
>>>> enable_pool_hba = on
>>>>
>>>> in pgpool.conf
>>>>
>>>> and set up pool_hba.conf correctly?
>>>>
>>>>> whereas, if I edit the pool_passwd file and write the second string
>>>>> ending in 679 to it, then it does work. I noticed this when I copied
>>>>> and pasted the entry into the /etc/pgpool-II/pcp.conf file. Attempting
>>>>> to use any pcp_* command fails authentication with the first string,
>>>>> but works when the second string is in the file.
>>>>>
>>>>> I'm using centO/S 6.5 and V.3.3.3-4 of pgpool if that makes a
>>>>> difference, but I'd like to know why it works differently in these
>>>>> cases with one being OK to use, and the other failing miserably.
>>>>> --
>>>>> Jay
>>>>>
>>>>> _______________________________________________
>>>>> pgpool-general mailing list
>>>>> pgpool-general at pgpool.net
>>>>> http://www.pgpool.net/mailman/listinfo/pgpool-general
>>>
More information about the pgpool-general
mailing list