From a9fec25df8887cf62a843021b5323841044c7e65 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Fri, 28 Jan 2005 22:38:37 +0000
Subject: [PATCH] Add note cautioning that you can't use an encrypting IDENT
 server with Postgres.

---
 doc/src/sgml/client-auth.sgml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 75a0381921b..a77ef544aa9 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.71 2005/01/23 00:30:18 momjian Exp $
+$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.72 2005/01/28 22:38:37 tgl Exp $
 -->
 
 <chapter id="client-authentication">
@@ -709,7 +709,7 @@ local   db1,db2,@demodbs  all                         md5
 
    <para>
     The ident authentication method works by obtaining the client's
-    operating system user name and determining the allowed database
+    operating system user name, then determining the allowed database
     user names using a map file that lists the permitted
     corresponding pairs of names.  The determination of the client's
     user name is the security-critical point, and it works differently
@@ -752,6 +752,15 @@ local   db1,db2,@demodbs  all                         md5
      </para>
     </blockquote>
    </para>
+
+   <para>
+    Some ident servers have a nonstandard option that causes the returned
+    user name to be encrypted, using a key that only the originating
+    machine's administrator knows.  This option <emphasis>must not</> be
+    used when using the ident server with <productname>PostgreSQL</>,
+    since <productname>PostgreSQL</> does not have any way to decrypt the
+    returned string to determine the actual user name.
+   </para>
    </sect3>
 
    <sect3>
-- 
GitLab