pgpool-II 3.6.28 Documentation | |||
---|---|---|---|
Prev | Up | Chapter 6. Client Authentication | Next |
The following subsections describe the authentication methods in more detail.
When trust authentication is specified, Pgpool-II assumes that anyone who can connect to the server is authorized to access connect with whatever database user name they specify.
This authentication method is the password-based authentication methods in which MD-5-hashed password is sent by client. Since Pgpool-II does not has the visibility of PostgreSQL's database user password and client application only sends the MD5-hash of the password, so md5 authentication in Pgpool-II is supported using the pool_passwd authentication file.
This pool_passwd file should contain lines in the following format:
"username:encrypted_passwd"
here are the steps to enable md5 authentication:
1- Login as the database's operating system user and type "pg_md5 --config-file=path_to_pgpool.conf --md5auth --username=username password" user name and md5 encrypted password are registered into pool_passwd. If pool_passwd does not exist yet, pg_md5 command will automatically create it for you.
Note: user name and password must be identical to those registered in PostgreSQL server
2- Add an appropriate md5 entry to pool_hba.conf. See Section 6.1 for more details.
3- After changing md5 password(in both pool_passwd and PostgreSQL of course), reload the pgpool configurations.
This authentication method uses PAM (Pluggable Authentication Modules) as the authentication mechanism. The default PAM service name is pgpool. PAM authentication is supported using user information on the host where Pgpool-II is executed. For more information about PAM, please read the Linux-PAM Page.
To enable PAM authentication, you need to create a service-configuration file for Pgpool-II in the system's PAM configuration directory (which is usually at "/etc/pam.d"). A sample service-configuration file is installed as "share/pgpool-II/pgpool.pam" under the install directory.
Note: To enable PAM support the Pgpool-II must be configured with "--with-pam"
GSSAPI is an industry-standard protocol for secure authentication defined in RFC 2743. Currently Pgpool-II does not support GSSAPI. Clients should not use GSSAPI authentication, or should use "prefer GSSAPI authentication if possible" option (this is the default setting of PostgreSQL clients). If latter is chosen, Pgpool-II requests non-GSSAPI authentication to client, and the clients will fall back to non-GSSAPI authentication method. Thus, usually users do not need to worry about that Pgpool-II does not accept GSSAPI authentication.