From f825704b0628161dd485f04308874d0b7d4f5e76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Tue, 19 May 2009 05:29:26 +0000
Subject: [PATCH] More documentation about pkinit_principal_in_certificate

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25211 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 doc/setup.texi | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/doc/setup.texi b/doc/setup.texi
index c70377633..8dbb4150b 100644
--- a/doc/setup.texi
+++ b/doc/setup.texi
@@ -1149,6 +1149,14 @@ It possible to store the principal (if allowed by the KDC) in the
 certificate and thus delegate responsibility to do the mapping between
 certificates and principals to the CA.
 
+This behavior is controlled by KDC configuration option:
+
+@example
+[kdc]
+	pkinit_principal_in_certificate = yes
+@end example
+
+
 @subsubsection Using KRB5PrincipalName in id-pkinit-san
 
 OtherName extention in the GeneralName is used to do the
@@ -1303,8 +1311,9 @@ Write about the kdc.
 	pkinit_anchors = FILE:/path/to/trust-anchors.pem
 	pkinit_pool = PKCS12:/path/to/useful-intermediate-certs.pfx
 	pkinit_pool = FILE:/path/to/other-useful-intermediate-certs.pem
-	pkinit_allow_proxy_certificate = false
+	pkinit_allow_proxy_certificate = no
 	pkinit_win2k_require_binding = yes
+	pkinit_principal_in_certificate = no
 @end example
 
 @subsection Using pki-mapping file