|
1 | 1 | <!--
|
2 |
| -$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.71 2005/01/23 00:30:18 momjian Exp $ |
| 2 | +$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.72 2005/01/28 22:38:37 tgl Exp $ |
3 | 3 | -->
|
4 | 4 |
|
5 | 5 | <chapter id="client-authentication">
|
@@ -709,7 +709,7 @@ local db1,db2,@demodbs all md5
|
709 | 709 |
|
710 | 710 | <para>
|
711 | 711 | The ident authentication method works by obtaining the client's
|
712 |
| - operating system user name and determining the allowed database |
| 712 | + operating system user name, then determining the allowed database |
713 | 713 | user names using a map file that lists the permitted
|
714 | 714 | corresponding pairs of names. The determination of the client's
|
715 | 715 | user name is the security-critical point, and it works differently
|
@@ -752,6 +752,15 @@ local db1,db2,@demodbs all md5
|
752 | 752 | </para>
|
753 | 753 | </blockquote>
|
754 | 754 | </para>
|
| 755 | + |
| 756 | + <para> |
| 757 | + Some ident servers have a nonstandard option that causes the returned |
| 758 | + user name to be encrypted, using a key that only the originating |
| 759 | + machine's administrator knows. This option <emphasis>must not</> be |
| 760 | + used when using the ident server with <productname>PostgreSQL</>, |
| 761 | + since <productname>PostgreSQL</> does not have any way to decrypt the |
| 762 | + returned string to determine the actual user name. |
| 763 | + </para> |
755 | 764 | </sect3>
|
756 | 765 |
|
757 | 766 | <sect3>
|
|