3

This is the relevant part of my pg_hba.conf:

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     ident
# IPv4 local connections:
host    all             all             127.0.0.1/32            ident
# IPv6 local connections:
host    all             all             ::1/128                 ident

The pidentd service is running.

When I try to log onto ee1 (I assume, the default user is postgres) :

psql ee1 

It says "peer authentication failed for user postgres"

  1. Where have I configured peer authentication for "postgres" ? It's ident.

  2. When I change the following line in pg_hba.conf:

    local   all             all                                 ident
    

    to

    local   all             all                                 md5
    

    it asks me for a password, and I am able to log in. Why is it that making changes to the local connection type, have effect on postgres user?

Erwin Brandstetter
  • 605,456
  • 145
  • 1,078
  • 1,228
Daud
  • 7,429
  • 18
  • 68
  • 115

2 Answers2

3

ident authentication means that your OS user matches DB user. It is support only for TCP/IP connections as relevant entry in docs states. If used with Unix socket, Peer authentication method will be used instead.

Also, note, that default user is not postgres, but the one you're currently logged in with.

vyegorov
  • 21,787
  • 7
  • 59
  • 73
  • I am logged to my system with my own username, then why is it saying that "peer authentication failed for user 'postgres'" – Daud Aug 13 '12 at 07:38
2

local is a connection type used in pg_hba.conf, while localhost is the network address for local loopback and translates to the IPv4 address 127.0.0.1, or IPv6 ::1.
I quote the manual about pg_hba.conf:

local

This record matches connection attempts using Unix-domain sockets. Without a record of this type, Unix-domain socket connections are disallowed.

host

This record matches connection attempts made using TCP/IP. host records match either SSL or non-SSL connection attempts.

Note: Remote TCP/IP connections will not be possible unless the server is started with an appropriate value for the listen_addresses configuration parameter, since the default behavior is to listen for TCP/IP connections only on the local loopback address localhost.

For the GUC* listen_addresses in postgresql.conf, localhost also serves as setting:
* GUC: Grand Unified Configuration

The default value is localhost, which allows only local TCP/IP "loopback" connections to be made.

Bold emphasis mine.

Erwin Brandstetter
  • 605,456
  • 145
  • 1,078
  • 1,228
  • I specified md5 for the 'host' connection type (with loopback address).. and tried 'psql ee1' and it never asked me for a password, but when I specified md5 for the 'local' connection type, it started asking me for a password. Why is that ? How do I know whether I am using Unix sockets to access localhost or using TCP/IP to access localhost ? – Daud Aug 13 '12 at 08:28
  • 1
    @Daud: If you connect locally (for instance, with `psql` on the same machine) the settings for `host` in `pg_hba.conf` are ineffective and the settings for the `local` connection type are relevant. You are automatically using a Unix socket when you don't supply a network address in your connection (and therefore, connect locally). – Erwin Brandstetter Aug 13 '12 at 18:33