1 files changed, 68 insertions, 12 deletions

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 6442aa1efed..e1d8c9503b5 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.124 2009/10/01 01:58:57 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.125 2009/12/12 21:35:21 mha Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -1202,7 +1202,8 @@ omicron       bryanh            guest1
    </para>
 
    <para>
-    The server will bind to the distinguished name constructed as
+    LDAP authentication can operate in two modes. In the first mode,
+    the server will bind to the distinguished name constructed as
     <replaceable>prefix</> <replaceable>username</> <replaceable>suffix</>.
     Typically, the <replaceable>prefix</> parameter is used to specify
     <literal>cn=</>, or <replaceable>DOMAIN</><literal>\</> in an Active
@@ -1211,6 +1212,23 @@ omicron       bryanh            guest1
    </para>
 
    <para>
+    In the second mode, the server first binds to the LDAP directory with
+    a fixed username and password, specified with <replaceable>ldapbinduser</>
+    and <replaceable>ldapbinddn</>, and performs a search for the user trying
+    to log in to the database. If no user and password is configured, an
+    anonymous bind will be attempted to the directory. The search will be
+    performed over the subtree at <replaceable>ldapbasedn</>, and will try to
+    do an exact match of the attribute specified in
+    <replaceable>ldapsearchattribute</>. If no attribute is specified, the
+    <literal>uid</> attribute will be used. Once the user has been found in
+    this search, the server disconnects and re-binds to the directory as
+    this user, using the password specified by the client, to verify that the
+    login is correct. This method allows for significantly more flexibility
+    in where the user objects are located in the directory, but will cause
+    two separate connections to the LDAP server to be made.
+   </para>
+
+   <para>
     The following configuration options are supported for LDAP:
     <variablelist>
      <varlistentry>
@@ -1222,10 +1240,31 @@ omicron       bryanh            guest1
       </listitem>
      </varlistentry>
      <varlistentry>
+      <term><literal>ldapport</literal></term>
+      <listitem>
+       <para>
+        Port number on LDAP server to connect to. If no port is specified,
+        the default port in the LDAP library will be used.
+       </para>
+      </listitem>
+     </varlistentry>
+     <varlistentry>
+      <term><literal>ldaptls</literal></term>
+      <listitem>
+       <para>
+        Set to <literal>1</> to make the connection between PostgreSQL and the
+        LDAP server use TLS encryption. Note that this only encrypts
+        the traffic to the LDAP server &mdash; the connection to the client
+        will still be unencrypted unless SSL is used.
+       </para>
+      </listitem>
+     </varlistentry>
+     <varlistentry>
       <term><literal>ldapprefix</literal></term>
       <listitem>
        <para>
-        String to prepend to the username when forming the DN to bind as.
+        String to prepend to the username when forming the DN to bind as,
+        when doing simple bind authentication.
        </para>
       </listitem>
      </varlistentry>
@@ -1233,30 +1272,47 @@ omicron       bryanh            guest1
       <term><literal>ldapsuffix</literal></term>
       <listitem>
        <para>
-        String to append to the username when forming the DN to bind as.
+        String to append to the username when forming the DN to bind as,
+        when doing simple bind authentication.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
-      <term><literal>ldapport</literal></term>
+      <term><literal>ldapbasedn</literal></term>
       <listitem>
        <para>
-        Port number on LDAP server to connect to. If no port is specified,
-        the default port in the LDAP library will be used.
+        DN to root the search for the user in, when doing search+bind
+        authentication.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
-      <term><literal>ldaptls</literal></term>
+      <term><literal>ldapbinddn</literal></term>
       <listitem>
        <para>
-        Set to <literal>1</> to make the connection between PostgreSQL and the
-        LDAP server use TLS encryption. Note that this only encrypts
-        the traffic to the LDAP server &mdash; the connection to the client
-        will still be unencrypted unless SSL is used.
+        DN of user to bind to the directory with to perform the search when
+        doing search+bind authentication.
        </para>
       </listitem>
      </varlistentry>
+     <varlistentry>
+      <term><literal>ldapbindpasswd</literal></term>
+      <listitem>
+       <para>
+        Password for user to bind to the directory with to perform the search
+        when doing search+bind authentication.
+       </para>
+      </listitem>
+      </varlistentry>
+      <varlistentry>
+       <term><literal>ldapsearchattribute</literal></term>
+       <listitem>
+        <para>
+         Attribute to match against the username in the search when doing
+         search+bind authentication.
+        </para>
+       </listitem>
+      </varlistentry>
     </variablelist>
    </para>