diff options
| author | Bruce Momjian <bruce@momjian.us> | 2020-10-05 16:07:15 -0400 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2020-10-05 16:07:15 -0400 |
| commit | ef40ab77d5143385d15dcfd08c5a7d66719ef7a3 (patch) | |
| tree | 812714316db5569863111ef32d1bf381be98cd4a | |
| parent | d1c23d726d50e10179235b6cee6b34543a879b19 (diff) | |
| download | postgresql-ef40ab77d5143385d15dcfd08c5a7d66719ef7a3.tar.gz postgresql-ef40ab77d5143385d15dcfd08c5a7d66719ef7a3.zip | |
docs: clarify the interaction of clientcert and cert auth.
This is the first paragraph change of master-only commit 253f1025da.
Backpatch-through: PG 12-13 only
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 5cd88b462db..a0d584fb34e 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -2042,13 +2042,10 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"","" </para> <para> - In a <filename>pg_hba.conf</filename> record specifying certificate - authentication, the authentication option <literal>clientcert</literal> is - assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>, - and it cannot be turned off since a client certificate is necessary for this - method. What the <literal>cert</literal> method adds to the basic - <literal>clientcert</literal> certificate validity test is a check that the - <literal>cn</literal> attribute matches the database user name. + It is redundant to use the <literal>clientcert</literal> option with + <literal>cert</literal> authentication because <literal>cert</literal> + authentication is effectively <literal>trust</literal> authentication + with <literal>clientcert=verify-full</literal>. </para> </sect1> |