On Sat, Jan 30, 2021 at 04:18:12PM -0500, Andrew Dunstan wrote: > @@ -610,6 +610,19 @@ hostnogssenc <replaceable>database</replaceable> > <replaceable>user</replaceabl > the verification of client certificates with any authentication > method that supports <literal>hostssl</literal> entries. > </para> > + <para> > + On any record using client certificate authentication, that is one > + using the <literal>cert</literal> authentication method or one > + using the <literal>clientcert</literal> option, you can specify
I suggest instead of "that is" to instead parenthesize this part: | (one using the <literal>cert</literal> authentication method or the | <literal>clientcert</literal> option), you can specify > + which part of the client certificate credentials to match using > + the <literal>clientname</literal> option. This option can have one > + of two values. If you specify <literal>clientname=CN</literal>, which > + is the default, the username is matched against the certificate's > + <literal>Common Name (CN)</literal>. If instead you specify > + <literal>clientname=DN</literal> the username is matched against the > + entire <literal>Distinguished Name (DN)</literal> of the certificate. > + This option is probably best used in comjunction with a username map. spell: conjunction
