Clarify documentation on pkinit_identities

The documentation for pkinit_identities implies that we try harder to
use each value before ignoring the rest, when in fact we only go as
far as the first successful parse.  Soften the language and describe
the most likely use case for multiple values under the current
semantics.

(cherry picked from commit e095b436d92d9aa30106509b5ccf76719e1668b3)

ticket: 8733
version_fixed: 1.16.2

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 3d33dba4045d01781d2a7944d7d402b470404c34..129f9b98ba4e1646e87e96445ea8fcc4cb876794 100644 (file)
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1106,11 +1106,11 @@ PKINIT krb5.conf options
 
 **pkinit_identities**
     Specifies the location(s) to be used to find the user's X.509
-    identity information.  This option may be specified multiple
-    times.  Each value is attempted in order until identity
-    information is found and authentication is attempted.  Note that
-    these values are not used if the user specifies
-    **X509_user_identity** on the command line.
+    identity information.  If this option is specified multiple times,
+    the first valid value is used; this can be used to specify an
+    environment variable (with **ENV:**\ *envvar*) followed by a
+    default value.  Note that these values are not used if the user
+    specifies **X509_user_identity** on the command line.
 
 **pkinit_kdc_hostname**
     The presense of this option indicates that the client is willing