From bb93a17d42f1942c6136388ff9820abaa83750c0 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 23 Feb 2011 03:40:08 +0000
Subject: [PATCH] More for ITS#6839

---
 doc/guide/admin/sasl.sdf | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/doc/guide/admin/sasl.sdf b/doc/guide/admin/sasl.sdf
index 6dde65b3f3..af46c9986a 100644
--- a/doc/guide/admin/sasl.sdf
+++ b/doc/guide/admin/sasl.sdf
@@ -302,12 +302,14 @@ format:
 
 H4: TLS Authentication Identity Format
 
-This is usually the Subject DN from the client-side certificate.
-The order of the components will be changed to follow LDAP conventions,
-so a certificate issued to {{EX:C=gb, O=The Example Organisation, CN=A Person}}
+This is the Subject DN from the client-side certificate.
+Note that DNs are displayed differently by LDAP and by X.509, so
+a certificate issued to
+>	C=gb, O=The Example Organisation, CN=A Person
+
 will produce an authentication identity of:
 
-> cn=A Person,o=The Example Organisation,c=gb
+>	cn=A Person,o=The Example Organisation,c=gb
 
 Note that you must set a suitable value for TLSVerifyClient to make the server
 request the use of a client-side certificate. Without this, the SASL EXTERNAL
-- 
2.39.5