Hi. In attchment new patch with updated documentation and with small change to coding style as you suggested.
Regards. Grzegorz. On 03/09/2016 08:30 AM, Haribabu Kommi wrote: > On Tue, Mar 8, 2016 at 10:43 PM, Grzegorz Sampolski <grz...@gmail.com > <mailto:grz...@gmail.com>> wrote: >> Hi Hari. >> To use pam modules you can use whatever backend authentication method >> you want. >> >> This is example configuration: >> >> Install this library https://github.com/pam-pgsql/pam-pgsql >> Create some example database <database>, schema access and two tables: >> pam_auth and pam_account with example defintion: >> >> pam_account: >> db_user character varying(16) NOT NULL, >> host character varying(255) NOT NULL >> >> pam_auth: >> db_user character varying(16) NOT NULL, >> password character varying(512) NOT NULL >> >> Sample /etc/pam_pgsql.conf: >> connect = dbname=<database> user=<user> password=<password> >> auth_query = SELECT password FROM access.pam_auth WHERE db_user = %u > LIMIT 1 >> acct_query = SELECT '0','0','' FROM access.pam_account WHERE db_user = >> %u AND (host = %h OR %h LIKE host) ORDER BY host DESC LIMIT 1; >> pw_type = crypt > > Thanks for the details. I am able to test the host limitation based on > the host from where the connection request is given.This patch > provides the advantage of getting the connected host address > details for the PAM modules to provide/restrict the authentication. > > A small change in the code, correct the following code from > > +if (retval) { > > to > > if (retval) > { > > as per the code everywhere. > > >> I will try to update documentation in regard to this chagnes, but please >> take into account that my english isn't fluent so much. So if I'll do >> some mistakes please correct me. > > I am also not a good English speaker :), but we can try to provide to > as good as possible, later community can help in correcting it if they find > any problem/improvement. > > Regards, > Hari Babu > Fujitsu Australia
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 3b2935c..c43322d 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1627,6 +1627,7 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"; <para> The following configuration options are supported for PAM: <variablelist> + <varlistentry> <term><literal>pamservice</literal></term> <listitem> @@ -1635,6 +1636,19 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"; </para> </listitem> </varlistentry> + + <varlistentry> + <term><literal>pamusedns</literal></term> + <listitem> + <para> + When not set (which is default), then ip address of connected host + will be passed to pam modules through PAM_RHOST item. + Otherwise it will be an attempt to determine host's name which can lead + to login delays. + </para> + </listitem> + </varlistentry> + </variablelist> </para> diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index cdc5bf1..af0d641 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -1735,6 +1735,21 @@ CheckPAMAuth(Port *port, char *user, char *password) { int retval; pam_handle_t *pamh = NULL; + char hostinfo[NI_MAXHOST]; + + if (port->hba->pamusedns == true) + retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, + hostinfo, sizeof(hostinfo), NULL, 0, 0); + else + retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, + hostinfo, sizeof(hostinfo), NULL, 0, NI_NUMERICHOST); + if (retval) + { + ereport(LOG, + (errmsg("(pam) couldn not determine the remote host information (%s)", + gai_strerror(retval)))); + return STATUS_ERROR; + } /* * We can't entirely rely on PAM to pass through appdata --- it appears @@ -1780,6 +1795,17 @@ CheckPAMAuth(Port *port, char *user, char *password) return STATUS_ERROR; } + retval = pam_set_item(pamh, PAM_RHOST, hostinfo); + + if (retval != PAM_SUCCESS) + { + ereport(LOG, + (errmsg("pam_set_item(PAM_RHOST) failed: %s", + pam_strerror(pamh, retval)))); + pam_passwd = NULL; + return STATUS_ERROR; + } + retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv); if (retval != PAM_SUCCESS) diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 94f7cfa..db3fe3c 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1447,6 +1447,15 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) REQUIRE_AUTH_OPTION(uaPAM, "pamservice", "pam"); hbaline->pamservice = pstrdup(val); } + else if (strcmp(name, "pamusedns") == 0) + { + REQUIRE_AUTH_OPTION(uaPAM, "pamusedns", "pam"); + if (strcmp(val, "1") == 0) + hbaline->pamusedns = true; + else + hbaline->pamusedns = false; + + } else if (strcmp(name, "ldapurl") == 0) { #ifdef LDAP_API_FEATURE_X_OPENLDAP diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h index 68a953a..f39240d 100644 --- a/src/include/libpq/hba.h +++ b/src/include/libpq/hba.h @@ -64,6 +64,7 @@ typedef struct HbaLine char *usermap; char *pamservice; + bool pamusedns; bool ldaptls; char *ldapserver; int ldapport;
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
