Re: Error in SSL config documentation?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Magnus Hagander <[email protected]>
To: Khusro Jaleel <[email protected]>
Cc: [email protected]
Subject: Re: Error in SSL config documentation?
Date: Sat, 7 May 2011 19:46:04 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

On Sat, May 7, 2011 at 18:40, Khusro Jaleel
<[email protected]> wrote:
> Hello, according to section 17.8.1 of the docs, I have added "clientcert" to
> a hostssl line in my pg_hba.conf file, but upon restart of the server, I'm
> getting the following error and the server fails to start up:
>
> LOG:  invalid authentication method "clientcert"
> CONTEXT:  line 82 of configuration file
> "/var/lib/pgsql/9.0/data/pg_hba.conf"
> FATAL:  could not load pg_hba.conf
>
> Changing the "clientcert" to "cert" seems to work. So does this mean the
> documentation is incorrect?

These are two different things.

as the docs say, "The clientcert option in pg_hba.conf is available
for all authentication methods, but only for rows specified as
hostssl.", and a bit further down "If you are setting up client
certificates, you may wish to use the cert authentication method, so
that the certificates control user authentication as well as providing
connection security. "

cert is the authentication method that uses client certificates to log in.

clientcert=1 makes the server request a client certificate - but does
not use it for authentication. So the client just has to present *any
valid* client certificate, and can then use whatever other
authenticaiton method is specified (md5, ldap, etc).

-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

view thread (4+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: Error in SSL config documentation?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox