Clarify documentation on pkinit_identities

The documentation for pkinit_identities implies that we try harder to
use each value before ignoring the rest, when in fact we only go as
far as the first successful parse.  Soften the language and describe
the most likely use case for multiple values under the current
semantics.

ticket: 8733
tags: pullup
target_version: 1.16-next

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 68c69df04a1208192266dd33e5dbd7c62a805559..42c117a34b4f12dbe1a62c6cbfb9f0078291bff3 100644 (file)
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1134,11 +1134,11 @@ PKINIT krb5.conf options
 
 **pkinit_identities**
     Specifies the location(s) to be used to find the user's X.509
-    identity information.  This option may be specified multiple
-    times.  Each value is attempted in order until identity
-    information is found and authentication is attempted.  Note that
-    these values are not used if the user specifies
-    **X509_user_identity** on the command line.
+    identity information.  If this option is specified multiple times,
+    the first valid value is used; this can be used to specify an
+    environment variable (with **ENV:**\ *envvar*) followed by a
+    default value.  Note that these values are not used if the user
+    specifies **X509_user_identity** on the command line.
 
 **pkinit_kdc_hostname**
     The presense of this option indicates that the client is willing