On Fri, Nov 6, 2009 at 9:06 AM, River Tarnell river@loreley.flyingparchment.org.uk wrote:
i don't think using LDAP is a good idea. it will encourage users to write their LDAP passwords into their tools, and it's not uncommon for people to expose these passwords due to programming errors. while LDAP passwords can't be used to log in, it seems better to use separate database passwords, like we do for MySQL.
pg_hba.conf can be setup to authenticate users without passwords, but instead by IP address/range + username:
host osmdb all 192.168.93.0/24 (or whatever the toolserver ip/range) ident
http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html
Alternatively, .pgpass can be used similarly to using my.cnf for MySQL authentication.
http://wiki.postgresql.org/wiki/Pgpass
I would recommend configuring permissions in pg_hba.conf rather than pgpass, but either would work.
Marcin and i have agreed on a plan for ptolemy: it will become the OSM Toolserver, running PostgreSQL and Apache (for tiles), but with no user access. OSM tools will move to the regular Toolserver, and access ptolemy remotely. we are currently waiting on WMF approval to implement this.
And use Cassini as the production db server?
-Kate
- river.