rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

docs: clarify the interaction of clientcert and cert auth. 

This is the first paragraph change of master-only commit 253f1025da.

Backpatch-through: PG 12-13 only
This commit is contained in:
Bruce Momjian 2020-10-05 16:07:15 -04:00
parent d1c23d726d
commit ef40ab77d5
1 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/src/sgml/client-auth.sgml
View File

@ -2042,13 +2042,10 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""
</para>
<para>
In a <filename>pg_hba.conf</filename> record specifying certificate
authentication, the authentication option <literal>clientcert</literal> is
assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>,
and it cannot be turned off since a client certificate is necessary for this
method. What the <literal>cert</literal> method adds to the basic
<literal>clientcert</literal> certificate validity test is a check that the
<literal>cn</literal> attribute matches the database user name.
It is redundant to use the <literal>clientcert</literal> option with
<literal>cert</literal> authentication because <literal>cert</literal>
authentication is effectively <literal>trust</literal> authentication
with <literal>clientcert=verify-full</literal>.
</para>
</sect1>