RE: [Psycopg] Authentication Problem with Postgres
Andre, Hmmm... This is a bit over my head. I don't see why zope would be sending something different after a restart. I've cross-posted this to the zope list because there are some hard-hitters there that will know more (if Frederico doesn't get to it first : )) You are correct though, the dbase connections should be persistent (at least they are for me). Perhaps you have manually coded your ZPsycopgDA to do the password encrypting? Because I'm reasonably _sure_ the connection string from within the zope management interface is cleartext. Perhaps something between Zope, ZPsycopgDA and postgres is going wrong. Sorry I cant help more, Paul Zwarts -----Original Message----- From: andre@oratrix.nl [mailto:andre@oratrix.nl] On Behalf Of Andre Schubert Sent: Friday, November 23, 2001 11:33 AM To: Paul Zwarts Cc: psycopg@lists.initd.org Subject: Re: [Psycopg] Authentication Problem with Postgres Hi Paul, Zope and Postgres are running on different machines. Postgres only allows crypted session. We have traced only crypted passwords. I think the problem is that there is a wrong password crypted and then sent to postgres, and after a restart the right password is crypted and sent to postgres???? But why does Zope send a password again, i thought the connections of Zope where persistent connections??? How can a track down connection-establishing?? Thanks as Paul Zwarts schrieb:
Andre,
How is your encryption done? Zope authenticates using cleartext
locally
AFAIK... and then again I could be wrong. But perhaps this is why you have the problem?
Postgres (IMHO) should be set to restrict access to only local machines. That way encrypted passwords are not necessary because it can only come from the machine running zope (same machine if postgres lives there as well)
Regards, Paul Zwarts
-----Original Message----- From: psycopg-admin@lists.initd.org [mailto:psycopg-admin@lists.initd.org] On Behalf Of Andre Schubert Sent: Friday, November 23, 2001 11:08 AM To: psycopg@lists.initd.org; pgsql-admin@postgresql.org Subject: [Psycopg] Authentication Problem with Postgres
Hi all,
sometimes i have a curios problem with my Zope. Without any errors in any logs Zope could not authenticate himself with postgres. The error message is that there is a wrong password. After a restart of Zope everything works fine until the eror occurs again.
My sysop has traced the protcols before and after the error. Zope sends some data and then a crypted password with the salt. If the error is occured the password that Zope sends is crypted wrong. After a restart of Zope the password is right crypted.
Could anybody help or explain me this problem, it is very important for the further use of Zope for our websites.
Thanks as _______________________________________________ Psycopg mailing list Psycopg@lists.initd.org http://lists.initd.org/mailman/listinfo/psycopg
_______________________________________________ Psycopg mailing list Psycopg@lists.initd.org http://lists.initd.org/mailman/listinfo/psycopg
Hi, the problems is not DA-dependant, because i had both ZPsycopg and ZPygres running. And the problem occurs at the same time on both DA's. Maybe could it be inside the Zopes TM??? Thanks as Paul Zwarts schrieb:
Andre,
Hmmm... This is a bit over my head. I don't see why zope would be sending something different after a restart. I've cross-posted this to the zope list because there are some hard-hitters there that will know more (if Frederico doesn't get to it first : ))
You are correct though, the dbase connections should be persistent (at least they are for me). Perhaps you have manually coded your ZPsycopgDA to do the password encrypting? Because I'm reasonably _sure_ the connection string from within the zope management interface is cleartext. Perhaps something between Zope, ZPsycopgDA and postgres is going wrong.
Sorry I cant help more, Paul Zwarts
-----Original Message----- From: andre@oratrix.nl [mailto:andre@oratrix.nl] On Behalf Of Andre Schubert Sent: Friday, November 23, 2001 11:33 AM To: Paul Zwarts Cc: psycopg@lists.initd.org Subject: Re: [Psycopg] Authentication Problem with Postgres
Hi Paul,
Zope and Postgres are running on different machines. Postgres only allows crypted session. We have traced only crypted passwords. I think the problem is that there is a wrong password crypted and then sent to postgres, and after a restart the right password is crypted and sent to postgres???? But why does Zope send a password again, i thought the connections of Zope where persistent connections??? How can a track down connection-establishing??
Thanks as
Paul Zwarts schrieb:
Andre,
How is your encryption done? Zope authenticates using cleartext
locally
AFAIK... and then again I could be wrong. But perhaps this is why you have the problem?
Postgres (IMHO) should be set to restrict access to only local machines. That way encrypted passwords are not necessary because it can only come from the machine running zope (same machine if postgres lives there as well)
Regards, Paul Zwarts
-----Original Message----- From: psycopg-admin@lists.initd.org [mailto:psycopg-admin@lists.initd.org] On Behalf Of Andre Schubert Sent: Friday, November 23, 2001 11:08 AM To: psycopg@lists.initd.org; pgsql-admin@postgresql.org Subject: [Psycopg] Authentication Problem with Postgres
Hi all,
sometimes i have a curios problem with my Zope. Without any errors in any logs Zope could not authenticate himself with postgres. The error message is that there is a wrong password. After a restart of Zope everything works fine until the eror occurs again.
My sysop has traced the protcols before and after the error. Zope sends some data and then a crypted password with the salt. If the error is occured the password that Zope sends is crypted wrong. After a restart of Zope the password is right crypted.
Could anybody help or explain me this problem, it is very important for the further use of Zope for our websites.
Thanks as _______________________________________________ Psycopg mailing list Psycopg@lists.initd.org http://lists.initd.org/mailman/listinfo/psycopg
_______________________________________________ Psycopg mailing list Psycopg@lists.initd.org http://lists.initd.org/mailman/listinfo/psycopg
Andre Schubert wrote:
Hi,
the problems is not DA-dependant, because i had both ZPsycopg and ZPygres running. And the problem occurs at the same time on both DA's. Maybe could it be inside the Zopes TM???
Could it be some subtle interaction between ZPsycopg, ZPygresql and libpq (which both use for actual connection, including the encryption) ? ---------------- Hannu
On Fri, 2001-11-23 at 11:10, Hannu Krosing wrote:
Andre Schubert wrote:
Hi,
the problems is not DA-dependant, because i had both ZPsycopg and ZPygres running. And the problem occurs at the same time on both DA's. Maybe could it be inside the Zopes TM???
Could it be some subtle interaction between ZPsycopg, ZPygresql and libpq (which both use for actual connection, including the encryption) ?
psycopg simply calls libpq PQconnectdb(dsn) function, where dsn is the string with the cleartext password inserted when creating/editing a new ZPsycopgDA object. all the encription is done by libpq. better to look for a bug there, imo. -- Federico Di Gregorio Debian GNU/Linux Developer & Italian Press Contact fog@debian.org INIT.D Developer fog@initd.org Don't dream it. Be it. -- Dr. Frank'n'further
Federico Di Gregorio schrieb:
On Fri, 2001-11-23 at 11:10, Hannu Krosing wrote:
Andre Schubert wrote:
Hi,
the problems is not DA-dependant, because i had both ZPsycopg and ZPygres running. And the problem occurs at the same time on both DA's. Maybe could it be inside the Zopes TM???
Could it be some subtle interaction between ZPsycopg, ZPygresql and libpq (which both use for actual connection, including the encryption) ?
psycopg simply calls libpq PQconnectdb(dsn) function, where dsn is the string with the cleartext password inserted when creating/editing a new ZPsycopgDA object. all the encription is done by libpq. better to look for a bug there, imo.
Is there a way to log the PGconnectdb() calls to see which password is sent to postgres???? as
-- Federico Di Gregorio Debian GNU/Linux Developer & Italian Press Contact fog@debian.org INIT.D Developer fog@initd.org Don't dream it. Be it. -- Dr. Frank'n'further
------------------------------------------------------------------------ Part 1.2Type: application/pgp-signature
On Mon, 2001-11-26 at 08:39, Andre Schubert wrote:
Federico Di Gregorio schrieb: [snip]
psycopg simply calls libpq PQconnectdb(dsn) function, where dsn is the string with the cleartext password inserted when creating/editing a new ZPsycopgDA object. all the encription is done by libpq. better to look for a bug there, imo.
Is there a way to log the PGconnectdb() calls to see which password is sent to postgres????
i can send you a patch that does that. or compile with --enable-devel, but that will produce *lots* of information. ciao, federico -- Federico Di Gregorio Debian GNU/Linux Developer & Italian Press Contact fog@debian.org INIT.D Developer fog@initd.org God is real. Unless declared integer. -- Anonymous FORTRAN programmer
participants (4)
-
Andre Schubert -
Federico Di Gregorio -
Hannu Krosing -
Paul Zwarts