Currently, the Red Hat and (I believe) PGDG RPMs set up ident authentication as the default, by running initdb with --auth='ident sameuser' I think several other binary distros do the same. It was pointed out to me recently that this does not work real well anymore on Fedora. It's fine on Unix-socket connections but fails entirely on localhost TCP, because (1) the TCP ident daemon isn't started by default (even assuming you installed it), and (2) if it is running, the default arguments for it include "-E" which causes it to return an encrypted version of the username. So authentication will always fail.
In the modern net it's kind of hard to tell people to run identd servers without -E, so I'm thinking that this default is becoming more and more useless. IMHO there are a couple of things we ought to do about it: * initdb has to abandon the one-size-fits-all approach to auth methods; we need to be able to specify different auth methods for unix-socket and TCP. (Of course, the RPMs could just hack in the right thing with sed, but then why are we bothering to support an --auth argument at all?) * I'm inclined to make the Red Hat RPMs default to ident on socket and md5 on localhost ... any comments about that? * We ought to think about ways to cope with encrypted ident daemons. Assuming that a given daemon always reports the same encrypted string for a given username, ISTM it ought to be possible for a DBA to set up an ident mapping file that would allow ident-encrypted authentication to work. You'd likely need a separate mapping file per client host because the encryption keys would be different, but it'd beat not having ident support at all. We'd need to add documentation explaining how to do this, and I think we should also tweak the logging of failed ident-auth connections. All we have at the moment is ereport(DEBUG2, (errmsg("Ident protocol identifies remote user as \"%s\"", ident_user))); which is pretty inadequate because it doesn't mention either the PG user name or the remote machine's address. I'd like to put out a LOG-level message mentioning all three anytime TCP ident authentication fails, so that the postmaster log provides the info needed to set up a mapping file. Can anyone see any reasons not to do that? regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend