Error in SSL config documentation?
Hello, according to section 17.8.1 of the docs, I have added
"clientcert" to a hostssl line in my pg_hba.conf file, but upon restart
of the server, I'm getting the following error and the server fails to
start up:
LOG: invalid authentication method "clientcert"
CONTEXT: line 82 of configuration file
"/var/lib/pgsql/9.0/data/pg_hba.conf"
FATAL: could not load pg_hba.conf
Changing the "clientcert" to "cert" seems to work. So does this mean the
documentation is incorrect?
On Sat, May 7, 2011 at 18:40, Khusro Jaleel
<mailing-lists@kerneljack.com> wrote:
Hello, according to section 17.8.1 of the docs, I have added "clientcert" to
a hostssl line in my pg_hba.conf file, but upon restart of the server, I'm
getting the following error and the server fails to start up:LOG: invalid authentication method "clientcert"
CONTEXT: line 82 of configuration file
"/var/lib/pgsql/9.0/data/pg_hba.conf"
FATAL: could not load pg_hba.confChanging the "clientcert" to "cert" seems to work. So does this mean the
documentation is incorrect?
These are two different things.
as the docs say, "The clientcert option in pg_hba.conf is available
for all authentication methods, but only for rows specified as
hostssl.", and a bit further down "If you are setting up client
certificates, you may wish to use the cert authentication method, so
that the certificates control user authentication as well as providing
connection security. "
cert is the authentication method that uses client certificates to log in.
clientcert=1 makes the server request a client certificate - but does
not use it for authentication. So the client just has to present *any
valid* client certificate, and can then use whatever other
authenticaiton method is specified (md5, ldap, etc).
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On 07/05/11 18:46, Magnus Hagander wrote:
clientcert=1 makes the server request a client certificate - but does
not use it for authentication. So the client just has to present *any
valid* client certificate, and can then use whatever other
authenticaiton method is specified (md5, ldap, etc).
Ah, I see now. When you wrote "clientcert=1" above, that made me realise
that I was making a mistake. I was using "clientcert" in the
authentication method column, and you can't use it there because it's an
"option" to "any other auth method" and not a auth method on its own.
I did read the doc and this was not clear to me at first, so perhaps it
could be made clearer?
Thanks for your help,
Khusro
On Sat, May 7, 2011 at 20:03, Khusro Jaleel
<mailing-lists@kerneljack.com> wrote:
On 07/05/11 18:46, Magnus Hagander wrote:
clientcert=1 makes the server request a client certificate - but does
not use it for authentication. So the client just has to present *any
valid* client certificate, and can then use whatever other
authenticaiton method is specified (md5, ldap, etc).Ah, I see now. When you wrote "clientcert=1" above, that made me realise
that I was making a mistake. I was using "clientcert" in the authentication
method column, and you can't use it there because it's an "option" to "any
other auth method" and not a auth method on its own.I did read the doc and this was not clear to me at first, so perhaps it
could be made clearer?
Probalby, if you got confused. Do you have a suggestion for a better wording?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/