NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit745513c

committed

Clarify usage of clientcert authentication option.

For some reason this option wasn't discussed at all in client-auth.sgml.Document it there, and be more explicit about its relationship to the"cert" authentication method. Per gripe from Srikanth Venkatesh.I failed to resist the temptation to do some minor wordsmithing in thesame area, too.Discussion: <20160713110357.1410.30407@wrigleys.postgresql.org>

1 parent99dd8b0 commit745513cCopy full SHA for 745513c

File tree

2 files changed

+39

-15

lines changed

doc/src/sgml
- client-auth.sgml
- runtime.sgml

2 files changed

+39

-15

lines changed

`‎doc/src/sgml/client-auth.sgml`

Lines changed: 22 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -547,6 +547,15 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>`
`547`	`547`	`specify options for the authentication method. Details about which`
`548`	`548`	`options are available for which authentication methods appear below.`
`549`	`549`	`</para>`
	`550`	`+`
	`551`	`+ <para>`
	`552`	`+ In addition to the method-specific options listed below, there is one`
	`553`	`+ method-independent authentication option <literal>clientcert</>, which`
	`554`	`+ can be specified in any <literal>hostssl</> record. When set`
	`555`	`+ to <literal>1</>, this option requires the client to present a valid`
	`556`	`+ (trusted) SSL certificate, in addition to the other requirements of the`
	`557`	`+ authentication method.`
	`558`	`+ </para>`
`550`	`559`	`</listitem>`
`551`	`560`	`</varlistentry>`
`552`	`561`	`</variablelist>`
`@@ -1632,9 +1641,9 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"`
`1632`	`1641`	`This authentication method uses SSL client certificates to perform`
`1633`	`1642`	`authentication. It is therefore only available for SSL connections.`
`1634`	`1643`	`When using this authentication method, the server will require that`
`1635`		`- the client provide a validcertificate. No password prompt will be sent`
`1636`		`- to the client. The <literal>cn</literal> (Common Name) attribute of the`
`1637`		`- certificate`
	`1644`	`+ the client provide a valid, trustedcertificate.No password prompt`
	`1645`	`+will be sentto the client.The <literal>cn</literal> (Common Name)`
	`1646`	`+attribute of thecertificate`
`1638`	`1647`	`will be compared to the requested database user name, and if they match`
`1639`	`1648`	`the login will be allowed. User name mapping can be used to allow`
`1640`	`1649`	`<literal>cn</literal> to be different from the database user name.`
`@@ -1655,6 +1664,16 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"`
`1655`	`1664`	`</varlistentry>`
`1656`	`1665`	`</variablelist>`
`1657`	`1666`	`</para>`
	`1667`	`+`
	`1668`	`+ <para>`
	`1669`	`+ In a <filename>pg_hba.conf</> record specifying certificate`
	`1670`	`+ authentication, the authentication option <literal>clientcert</> is`
	`1671`	`+ assumed to be <literal>1</>, and it cannot be turned off since a client`
	`1672`	`+ certificate is necessary for this method. What the <literal>cert</>`
	`1673`	`+ method adds to the basic <literal>clientcert</> certificate validity test`
	`1674`	`+ is a check that the <literal>cn</literal> attribute matches the database`
	`1675`	`+ user name.`
	`1676`	`+ </para>`
`1658`	`1677`	`</sect2>`
`1659`	`1678`
`1660`	`1679`	`<sect2 id="auth-pam">`

`‎doc/src/sgml/runtime.sgml`

Lines changed: 17 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -2189,20 +2189,23 @@ pg_dumpall -p 5432 \| psql -d postgres -p 5433`
`2189`	`2189`	`<sect2 id="ssl-client-certificates">`
`2190`	`2190`	`<title>Using Client Certificates</title>`
`2191`	`2191`
`2192`		`-<para>`
	`2192`	`+ <para>`
`2193`	`2193`	`To require the client to supply a trusted certificate, place`
`2194`	`2194`	`certificates of the certificate authorities (<acronym>CA</acronym>s)`
`2195`	`2195`	`you trust in the file <filename>root.crt</filename> in the data`
`2196`	`2196`	`directory, set the parameter <xref linkend="guc-ssl-ca-file"> in`
`2197`	`2197`	`<filename>postgresql.conf</filename> to <literal>root.crt</literal>,`
`2198`		`- and set the <literal>clientcert</literal> parameter`
`2199`		`- to 1 on the appropriate <literal>hostssl</> line(s) in`
`2200`		`- <filename>pg_hba.conf</>.`
	`2198`	`+ and add the authentication option <literal>clientcert=1</literal> to the`
	`2199`	`+ appropriate <literal>hostssl</> line(s) in <filename>pg_hba.conf</>.`
`2201`	`2200`	`A certificate will then be requested from the client during`
`2202`	`2201`	`SSL connection startup. (See <xref linkend="libpq-ssl"> for a`
`2203`	`2202`	`description of how to set up certificates on the client.) The server will`
`2204`	`2203`	`verify that the client's certificate is signed by one of the trusted`
`2205`		`- certificate authorities. If intermediate <acronym>CA</>s appear in`
	`2204`	`+ certificate authorities.`
	`2205`	`+ </para>`
	`2206`	`+`
	`2207`	`+ <para>`
	`2208`	`+ If intermediate <acronym>CA</>s appear in`
`2206`	`2209`	`<filename>root.crt</filename>, the file must also contain certificate`
`2207`	`2210`	`chains to their root <acronym>CA</>s. Certificate Revocation List`
`2208`	`2211`	`(CRL) entries`
`@@ -2214,12 +2217,12 @@ pg_dumpall -p 5432 \| psql -d postgres -p 5433`
`2214`	`2217`	`</para>`
`2215`	`2218`
`2216`	`2219`	`<para>`
`2217`		`- The <literal>clientcert</literal> optionin <filename>pg_hba.conf</> is`
`2218`		`-available forall authentication methods, but onlyfor rows specified as`
`2219`		`- <literal>hostssl</>. When <literal>clientcert</literal> is not specified`
`2220`		`- or is set to 0, the server will still verifypresented client`
`2221`		`- certificates against its CAlist, if one is configured,`
`2222`		`-— butit will not insist that a client certificate be presented.`
	`2220`	`+ The <literal>clientcert</literal>authenticationoptionis available for`
	`2221`	`+ all authentication methods, but onlyin <filename>pg_hba.conf</> lines`
	`2222`	`+specified as<literal>hostssl</>. When <literal>clientcert</literal> is`
	`2223`	`+not specifiedor is set to 0, the server will still verifyany presented`
	`2224`	`+clientcertificates against its CAfile, if one is configured — but`
	`2225`	`+ it will not insist that a client certificate be presented.`
`2223`	`2226`	`</para>`
`2224`	`2227`
`2225`	`2228`	`<para>`
`@@ -2234,7 +2237,9 @@ pg_dumpall -p 5432 \| psql -d postgres -p 5433`
`2234`	`2237`	`If you are setting up client certificates, you may wish to use`
`2235`	`2238`	`the <literal>cert</> authentication method, so that the certificates`
`2236`	`2239`	`control user authentication as well as providing connection security.`
`2237`		`- See <xref linkend="auth-cert"> for details.`
	`2240`	`+ See <xref linkend="auth-cert"> for details. (It is not necessary to`
	`2241`	`+ specify <literal>clientcert=1</literal> explicitly when using`
	`2242`	`+ the <literal>cert</> authentication method.)`
`2238`	`2243`	`</para>`
`2239`	`2244`	`</sect2>`
`2240`	`2245`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit745513c

File tree

2 files changed

2 files changed

`‎doc/src/sgml/client-auth.sgml`

`‎doc/src/sgml/runtime.sgml`

0 commit comments