|
- <?xml version="1.0" encoding="UTF-8" standalone="no"?>
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.12. Certificate Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="auth-radius.html" title="20.11. RADIUS Authentication" /><link rel="next" href="auth-pam.html" title="20.13. PAM Authentication" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.12. Certificate Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="auth-radius.html" title="20.11. RADIUS Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 20. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-pam.html" title="20.13. PAM Authentication">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="AUTH-CERT"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.12. Certificate Authentication</h2></div></div></div><a id="id-1.6.7.19.2" class="indexterm"></a><p>
- This authentication method uses SSL client certificates to perform
- authentication. It is therefore only available for SSL connections.
- When using this authentication method, the server will require that
- the client provide a valid, trusted certificate. No password prompt
- will be sent to the client. The <code class="literal">cn</code> (Common Name)
- attribute of the certificate
- will be compared to the requested database user name, and if they match
- the login will be allowed. User name mapping can be used to allow
- <code class="literal">cn</code> to be different from the database user name.
- </p><p>
- The following configuration options are supported for SSL certificate
- authentication:
- </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">map</code></span></dt><dd><p>
- Allows for mapping between system and database user names. See
- <a class="xref" href="auth-username-maps.html" title="20.2. User Name Maps">Section 20.2</a> for details.
- </p></dd></dl></div><p>
- </p><p>
- In a <code class="filename">pg_hba.conf</code> record specifying certificate
- authentication, the authentication option <code class="literal">clientcert</code> is
- assumed to be <code class="literal">verify-ca</code> or <code class="literal">verify-full</code>,
- and it cannot be turned off since a client certificate is necessary for this
- method. What the <code class="literal">cert</code> method adds to the basic
- <code class="literal">clientcert</code> certificate validity test is a check that the
- <code class="literal">cn</code> attribute matches the database user name.
- </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="auth-radius.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.11. RADIUS Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 20.13. PAM Authentication</td></tr></table></div></body></html>
|
