diff options
author | Tom Lane <tgl@sss.pgh.pa.us> | 2005-01-28 22:38:50 +0000 |
---|---|---|
committer | Tom Lane <tgl@sss.pgh.pa.us> | 2005-01-28 22:38:50 +0000 |
commit | 2bb33a8048d3b63bfa350ec8215cc34a513397be (patch) | |
tree | 72b0451fd25b209e8d481223ff66e139965ad3db | |
parent | 7c67dcacd83c885618a58936df627a17470d9991 (diff) | |
download | postgresql-2bb33a8048d3b63bfa350ec8215cc34a513397be.tar.gz |
Add note cautioning that you can't use an encrypting IDENT server
with Postgres.
-rw-r--r-- | doc/src/sgml/client-auth.sgml | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index e8de87743f..46daf06173 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1,5 +1,5 @@ <!-- -$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.70.4.1 2005/01/23 00:37:12 momjian Exp $ +$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.70.4.2 2005/01/28 22:38:50 tgl Exp $ --> <chapter id="client-authentication"> @@ -709,7 +709,7 @@ local db1,db2,@demodbs all md5 <para> The ident authentication method works by obtaining the client's - operating system user name and determining the allowed database + operating system user name, then determining the allowed database user names using a map file that lists the permitted corresponding pairs of names. The determination of the client's user name is the security-critical point, and it works differently @@ -752,6 +752,15 @@ local db1,db2,@demodbs all md5 </para> </blockquote> </para> + + <para> + Some ident servers have a nonstandard option that causes the returned + user name to be encrypted, using a key that only the originating + machine's administrator knows. This option <emphasis>must not</> be + used when using the ident server with <productname>PostgreSQL</>, + since <productname>PostgreSQL</> does not have any way to decrypt the + returned string to determine the actual user name. + </para> </sect3> <sect3> |