diff options
| author | Magnus Hagander <magnus@hagander.net> | 2008-11-20 11:48:26 +0000 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2008-11-20 11:48:26 +0000 |
| commit | f179d5ea99b4598689e5aefed376874b68110978 (patch) | |
| tree | f3af4e57ce35be33afe3839c9341f81c7c7367e3 /doc/src | |
| parent | 3c486fbd1c8e8f79902a40ef929c4ed54f122561 (diff) | |
Add support for using SSL client certificates to authenticate to the
database (only for SSL connections, obviously).
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 31 | ||||
| -rw-r--r-- | doc/src/sgml/runtime.sgml | 10 |
2 files changed, 34 insertions, 7 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index de473f201c0..f10a93953e1 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1,4 +1,4 @@ -<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.111 2008/11/18 13:10:20 petere Exp $ --> +<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.112 2008/11/20 11:48:26 mha Exp $ --> <chapter id="client-authentication"> <title>Client Authentication</title> @@ -388,6 +388,16 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> </varlistentry> <varlistentry> + <term><literal>cert</></term> + <listitem> + <para> + Authenticate using SSL client certificates. See + <xref linkend="auth-cert"> for details. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><literal>pam</></term> <listitem> <para> @@ -1114,6 +1124,25 @@ ldapserver=ldap.example.net prefix="cn=" suffix="dc=example, dc=net" </sect2> + <sect2 id="auth-cert"> + <title>Certificate authentication</title> + + <indexterm zone="auth-cert"> + <primary>Certificate</primary> + </indexterm> + + <para> + This authentication method uses SSL client certificates to perform + authentication. It is therefore only available for SSL connections. + When using this authentication method, the server will require that + the client provide a certificate. No password prompt will be sent + to the client. The <literal>cn</literal> attribute of the certificate + will be matched with the username the user is trying to log in as, + and if they match the login will be allowed. Username mapping can be + used if the usernames don't match. + </para> + </sect2> + <sect2 id="auth-pam"> <title>PAM authentication</title> diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 1a862b5c4b2..f40899e0d60 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,4 +1,4 @@ -<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.421 2008/11/20 09:29:35 mha Exp $ --> +<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.422 2008/11/20 11:48:26 mha Exp $ --> <chapter Id="runtime"> <title>Operating System Environment</title> @@ -1674,11 +1674,9 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput </para> <para> - <productname>PostgreSQL</> currently does not support authentication - using client certificates, since it cannot differentiate between - different users. As long as the user holds any certificate issued - by a trusted CA it will be accepted, regardless of what account the - user is trying to connect with. + You can use the authentication method <literal>cert</> to use the + client certificate for authenticating users. See + <xref linkend="auth-cert"> for details. </para> </sect2> |