|
1 | 1 | <!-- |
2 | | -$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.71 2005/01/23 00:30:18 momjian Exp $ |
| 2 | +$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.72 2005/01/28 22:38:37 tgl Exp $ |
3 | 3 | --> |
4 | 4 |
|
5 | 5 | <chapter id="client-authentication"> |
@@ -709,7 +709,7 @@ local db1,db2,@demodbs all md5 |
709 | 709 |
|
710 | 710 | <para> |
711 | 711 | The ident authentication method works by obtaining the client's |
712 | | - operating system user name and determining the allowed database |
| 712 | + operating system user name, then determining the allowed database |
713 | 713 | user names using a map file that lists the permitted |
714 | 714 | corresponding pairs of names. The determination of the client's |
715 | 715 | user name is the security-critical point, and it works differently |
@@ -752,6 +752,15 @@ local db1,db2,@demodbs all md5 |
752 | 752 | </para> |
753 | 753 | </blockquote> |
754 | 754 | </para> |
| 755 | + |
| 756 | + <para> |
| 757 | + Some ident servers have a nonstandard option that causes the returned |
| 758 | + user name to be encrypted, using a key that only the originating |
| 759 | + machine's administrator knows. This option <emphasis>must not</> be |
| 760 | + used when using the ident server with <productname>PostgreSQL</>, |
| 761 | + since <productname>PostgreSQL</> does not have any way to decrypt the |
| 762 | + returned string to determine the actual user name. |
| 763 | + </para> |
755 | 764 | </sect3> |
756 | 765 |
|
757 | 766 | <sect3> |
|