From 9872381090cf4cd45748422df67f1c64b31c5ead Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Mon, 15 Sep 2008 12:32:57 +0000
Subject: Parse pg_hba.conf in postmaster, instead of once in each backend for
 each connection. This makes it possible to catch errors in the pg_hba file
 when it's being reloaded, instead of silently reloading a broken file and
 failing only when a user tries to connect.

This patch also makes the "sameuser" argument to ident authentication
optional.
---
 doc/src/sgml/client-auth.sgml | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index e5f56e55d94..828b5e2caec 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.106 2008/01/05 13:17:00 petere Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.107 2008/09/15 12:32:56 mha Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -509,7 +509,7 @@ host    all         all         127.0.0.1     255.255.255.255     trust
 # the connection (typically the Unix user name).
 # 
 # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
-host    postgres    all         192.168.93.0/24       ident sameuser
+host    postgres    all         192.168.93.0/24       ident
 
 # Allow a user from host 192.168.12.10 to connect to database
 # "postgres" if the user's password is correctly supplied.
@@ -839,8 +839,8 @@ local   db1,db2,@demodbs  all                         md5
 
    <para>
     The ident authentication method works by obtaining the client's
-    operating system user name, then determining the allowed database
-    user names using a map file that lists the permitted
+    operating system user name, then optionally determining the allowed 
+    database user names using a map file that lists the permitted
     corresponding pairs of names.  The determination of the client's
     user name is the security-critical point, and it works differently
     depending on the connection type.
@@ -928,15 +928,13 @@ local   db1,db2,@demodbs  all                         md5
     allowed to connect as the database user he is requesting to connect
     as. This is controlled by the ident map argument that follows the
     <literal>ident</> key word in the <filename>pg_hba.conf</filename>
-    file. There is a predefined ident map <literal>sameuser</literal>,
-    which allows any operating system user to connect as the database
-    user of the same name (if the latter exists). Other maps must be
-    created manually.
+    file. If an ident map is not specified, the database user will be
+    checked with the same name as the operating system user. Other maps
+    must be created manually.
    </para>
 
    <para>
-    Ident maps other than <literal>sameuser</literal> are defined in the
-    ident map file, which by default is named
+    Ident maps are defined in the ident map file, which by default is named
     <filename>pg_ident.conf</><indexterm><primary>pg_ident.conf</primary></indexterm>
     and is stored in the
     cluster's data directory.  (It is possible to place the map file
-- 
cgit v1.2.3