From f179d5ea99b4598689e5aefed376874b68110978 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Thu, 20 Nov 2008 11:48:26 +0000
Subject: Add support for using SSL client certificates to authenticate to the
 database (only for SSL connections, obviously).

---
 doc/src/sgml/client-auth.sgml | 31 ++++++++++++++++++++++++++++++-
 doc/src/sgml/runtime.sgml     | 10 ++++------
 2 files changed, 34 insertions(+), 7 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index de473f201c0..f10a93953e1 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.111 2008/11/18 13:10:20 petere Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.112 2008/11/20 11:48:26 mha Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -387,6 +387,16 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
         </listitem>
        </varlistentry>
 
+       <varlistentry>
+        <term><literal>cert</></term>
+        <listitem>
+         <para>
+          Authenticate using SSL client certificates. See
+          <xref linkend="auth-cert"> for details.
+         </para>
+        </listitem>
+       </varlistentry>
+
        <varlistentry>
         <term><literal>pam</></term>
         <listitem>
@@ -1114,6 +1124,25 @@ ldapserver=ldap.example.net prefix="cn=" suffix="dc=example, dc=net"
 
   </sect2>
 
+  <sect2 id="auth-cert">
+   <title>Certificate authentication</title>
+
+   <indexterm zone="auth-cert">
+    <primary>Certificate</primary>
+   </indexterm>
+
+   <para>
+    This authentication method uses SSL client certificates to perform
+    authentication. It is therefore only available for SSL connections.
+    When using this authentication method, the server will require that
+    the client provide a certificate. No password prompt will be sent
+    to the client. The <literal>cn</literal> attribute of the certificate
+    will be matched with the username the user is trying to log in as,
+    and if they match the login will be allowed. Username mapping can be
+    used if the usernames don't match.
+   </para>
+  </sect2>
+
   <sect2 id="auth-pam">
    <title>PAM authentication</title>
 
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 1a862b5c4b2..f40899e0d60 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.421 2008/11/20 09:29:35 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.422 2008/11/20 11:48:26 mha Exp $ -->
 
 <chapter Id="runtime">
  <title>Operating System Environment</title>
@@ -1674,11 +1674,9 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
   </para>
 
   <para>
-   <productname>PostgreSQL</> currently does not support authentication
-   using client certificates, since it cannot differentiate between
-   different users. As long as the user holds any certificate issued
-   by a trusted CA it will be accepted, regardless of what account the
-   user is trying to connect with.
+   You can use the authentication method <literal>cert</> to use the
+   client certificate for authenticating users. See
+   <xref linkend="auth-cert"> for details.
   </para>
   </sect2>
 
-- 
cgit v1.2.3