Received: from maia.hub.org (maia-5.hub.org [200.46.204.29])
	by mail.postgresql.org (Postfix) with ESMTP id 55CA81337B97
	for <pgsql-docs-postgresql.org@mail.postgresql.org>;
	Sat,  7 May 2011 14:46:20 -0300 (ADT)
Received: from mail.postgresql.org ([200.46.204.86])
	by maia.hub.org (mx1.hub.org [200.46.204.29]) (amavisd-maia, port 10024)
	with ESMTP id 75482-02 for
	<pgsql-docs-postgresql.org@mail.postgresql.org>;
	Sat,  7 May 2011 17:46:12 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from mail-pz0-f46.google.com (mail-pz0-f46.google.com
	[209.85.210.46])
	by mail.postgresql.org (Postfix) with ESMTP id 9FE9E1337B67
	for <pgsql-docs@postgresql.org>; Sat,  7 May 2011 14:46:05 -0300 (ADT)
Received: by pzk9 with SMTP id 9so1839499pzk.19
	for <pgsql-docs@postgresql.org>; Sat, 07 May 2011 10:46:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.66.9 with SMTP id b9mr7090916pbt.107.1304790364881; Sat, 07
	May 2011 10:46:04 -0700 (PDT)
Received: by 10.68.64.97 with HTTP; Sat, 7 May 2011 10:46:04 -0700 (PDT)
In-Reply-To: <4DC575F6.4060508@kerneljack.com>
References: <4DC575F6.4060508@kerneljack.com>
Date: Sat, 7 May 2011 19:46:04 +0200
Message-ID: <BANLkTim+=1zT5=4y-ymjAyREvZ5LBX0Fcw@mail.gmail.com>
Subject: Re: Error in SSL config documentation?
From: Magnus Hagander <magnus@hagander.net>
To: Khusro Jaleel <mailing-lists@kerneljack.com>
Cc: pgsql-docs@postgresql.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Spam-Status: No, hits=-1.9 tagged_above=-5 required=5 tests=BAYES_00=-1.9
X-Spam-Level: 
X-Archive-Number: 201105/28
X-Sequence-Number: 6703

On Sat, May 7, 2011 at 18:40, Khusro Jaleel
<mailing-lists@kerneljack.com> wrote:
> Hello, according to section 17.8.1 of the docs, I have added "clientcert"=
 to
> a hostssl line in my pg_hba.conf file, but upon restart of the server, I'=
m
> getting the following error and the server fails to start up:
>
> LOG: =A0invalid authentication method "clientcert"
> CONTEXT: =A0line 82 of configuration file
> "/var/lib/pgsql/9.0/data/pg_hba.conf"
> FATAL: =A0could not load pg_hba.conf
>
> Changing the "clientcert" to "cert" seems to work. So does this mean the
> documentation is incorrect?

These are two different things.

as the docs say, "The clientcert option in pg_hba.conf is available
for all authentication methods, but only for rows specified as
hostssl.", and a bit further down "If you are setting up client
certificates, you may wish to use the cert authentication method, so
that the certificates control user authentication as well as providing
connection security. "


cert is the authentication method that uses client certificates to log in.


clientcert=3D1 makes the server request a client certificate - but does
not use it for authentication. So the client just has to present *any
valid* client certificate, and can then use whatever other
authenticaiton method is specified (md5, ldap, etc).


--=20
=A0Magnus Hagander
=A0Me: http://www.hagander.net/
=A0Work: http://www.redpill-linpro.com/