Clarify documentation about username mapping when authenticating with

GSSAPI or Kerberos. Ian Turner
2025-04-21 12:05:57 +03:00 · 2010-02-20 19:21:14 +00:00 · 2010-02-20 19:21:14 +00:00 · 786e2f6871
commit 786e2f6871
parent de9ec65431
1 changed files with 20 additions and 15 deletions
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.131 2010/02/03 17:25:05 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.132 2010/02/20 19:21:14 momjian Exp $ -->

 <chapter id="client-authentication">
 <title>Client Authentication</title>
@ -823,16 +823,6 @@ omicron         bryanh                  guest1
   <para>
    The following configuration options are supported for <productname>GSSAPI</productname>:
    <variablelist>
-     <varlistentry>
-      <term><literal>map</literal></term>
-      <listitem>
-       <para>
-        Allows for mapping between system and database usernames. See
-        <xref linkend="auth-username-maps"> for details.
-       </para>
-      </listitem>
-     </varlistentry>
-
     <varlistentry>
      <term><literal>include_realm</literal></term>
      <listitem>
@ -845,6 +835,21 @@ omicron         bryanh                  guest1
      </listitem>
     </varlistentry>

+     <varlistentry>
+      <term><literal>map</literal></term>
+      <listitem>
+       <para>
+        Allows for mapping between system and database usernames. See
+        <xref linkend="auth-username-maps"> for details. For a Kerboros
+        principal <literal>username/hostbased@EXAMPLE.COM</literal>, the
+        username used for mapping is <literal>username/hostbased</literal>
+        if <literal>include_realm</literal> is disabled, and
+        <literal>username/hostbased@EXAMPLE.COM</literal> if
+        <literal>include_realm</literal> is enabled.
+       </para>
+      </listitem>
+     </varlistentry>
+
     <varlistentry>
      <term><literal>krb_realm</literal></term>
      <listitem>
@ -1027,10 +1032,10 @@ omicron         bryanh                  guest1
   <para>
    When connecting to the database make sure you have a ticket for a
    principal matching the requested database user name. For example, for
-    database user name <literal>fred</>, both principal
-    <literal>fred@EXAMPLE.COM</> and
-    <literal>fred/users.example.com@EXAMPLE.COM</> could be used to
-    authenticate to the database server.
+    database user name <literal>fred</>, principal
+    <literal>fred@EXAMPLE.COM</> would be able to connect. To also allow
+    principle <literal>fred/users.example.com@EXAMPLE.COM</>, use a username
+    map, as described in <xref linkend="auth-username-maps">.
   </para>

   <para>