docs: clarify the interaction of clientcert and cert auth.

author Bruce Momjian

Mon, 5 Oct 2020 20:07:15 +0000 (16:07 -0400)

committer Bruce Momjian

Mon, 5 Oct 2020 20:07:15 +0000 (16:07 -0400)
author Bruce Momjian
Mon, 5 Oct 2020 20:07:15 +0000 (16:07 -0400)
committer Bruce Momjian
Mon, 5 Oct 2020 20:07:15 +0000 (16:07 -0400)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml

index 5cd88b462dbdbf056d48331a1a9c4609033af03f..a0d584fb34eef2193cd4d0aae00e3d374631dacc 100644 (file)
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -2042,13 +2042,10 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""
     
  
     
-    In a pg_hba.conf record specifying certificate
-    authentication, the authentication option clientcert is
-    assumed to be verify-ca or verify-full,
-    and it cannot be turned off since a client certificate is necessary for this
-    method. What the cert method adds to the basic
-    clientcert certificate validity test is a check that the
-    cn attribute matches the database user name.
+    It is redundant to use the clientcert option with
+    cert authentication because cert
+    authentication is effectively trust authentication
+    with clientcert=verify-full.