From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Fri, 28 Jan 2005 22:38:50 +0000 (+0000)
Subject: Add note cautioning that you can't use an encrypting IDENT server
X-Git-Tag: REL8_0_1~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2bb33a8048d3b63bfa350ec8215cc34a513397be;p=thirdparty%2Fpostgresql.git

Add note cautioning that you can't use an encrypting IDENT server
with Postgres.
---

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index e8de87743f3..46daf06173b 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.70.4.1 2005/01/23 00:37:12 momjian Exp $
+$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.70.4.2 2005/01/28 22:38:50 tgl Exp $
 -->
 
 <chapter id="client-authentication">
@@ -709,7 +709,7 @@ local   db1,db2,@demodbs  all                         md5
 
    <para>
     The ident authentication method works by obtaining the client's
-    operating system user name and determining the allowed database
+    operating system user name, then determining the allowed database
     user names using a map file that lists the permitted
     corresponding pairs of names.  The determination of the client's
     user name is the security-critical point, and it works differently
@@ -752,6 +752,15 @@ local   db1,db2,@demodbs  all                         md5
      </para>
     </blockquote>
    </para>
+
+   <para>
+    Some ident servers have a nonstandard option that causes the returned
+    user name to be encrypted, using a key that only the originating
+    machine's administrator knows.  This option <emphasis>must not</> be
+    used when using the ident server with <productname>PostgreSQL</>,
+    since <productname>PostgreSQL</> does not have any way to decrypt the
+    returned string to determine the actual user name.
+   </para>
    </sect3>
 
    <sect3>