On Fri, Nov 6, 2009 at 9:06 AM, River Tarnell
<river(a)loreley.flyingparchment.org.uk> wrote:
i don't think using LDAP is a good idea. it will encourage users to
write their LDAP passwords into their tools, and it's not uncommon for
people to expose these passwords due to programming errors. while LDAP
passwords can't be used to log in, it seems better to use separate
database passwords, like we do for MySQL.
pg_hba.conf can be setup to authenticate users without passwords, but
instead by IP address/range + username:
host osmdb all 192.168.93.0/24 (or whatever the toolserver
ip/range) ident
http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html
Alternatively, .pgpass can be used similarly to using my.cnf for MySQL
authentication.
http://wiki.postgresql.org/wiki/Pgpass
I would recommend configuring permissions in pg_hba.conf rather than
pgpass, but either would work.
Marcin and i have agreed on a plan for ptolemy: it will become the OSM
Toolserver, running PostgreSQL and Apache (for tiles), but with no user
access. OSM tools will move to the regular Toolserver, and access
ptolemy remotely. we are currently waiting on WMF approval to implement
this.
And use Cassini as the production db server?
-Kate
- river.