SRV
    discovery to find the host name(s) and port(s) for the LDAP service for the
    domain name <literal>example.net</literal>:
<programlisting>
host ... ldap ldapbasedn="dc=example,dc=net"
</programlisting>
   </para>

   <tip>
    <para>
     Since LDAP often uses commas and spaces to separate the different
     parts of a DN, it is often necessary to use double-quoted parameter
     values when configuring LDAP options, as shown in the examples.
    </para>
   </tip>

  </sect1>

  <sect1 id="auth-radius">
   <title>RADIUS Authentication</title>

   <indexterm zone="auth-radius">
    <primary>RADIUS</primary>
   </indexterm>

   <para>
    This authentication method operates similarly to
    <literal>password</literal> except that it uses RADIUS
    as the password verification method. RADIUS is used only to validate
    the user name/password pairs. Therefore the user must already
    exist in the database before RADIUS can be used for
    authentication.
   </para>

   <para>
    When using RADIUS authentication, an Access Request message will be sent
    to the configured RADIUS server. This request will be of type
    <literal>Authenticate Only</literal>, and include parameters for
    <literal>user name</literal>, <literal>password</literal> (encrypted) and
    <literal>NAS Identifier</literal>. The request will be encrypted using
    a secret shared with the server. The RADIUS server will respond to
    this request with either <literal>Access Accept</literal> or
    <literal>Access Reject</literal>. There is no support for RADIUS accounting.
   </para>

   <para>
    Multiple RADIUS servers can be specified, in which case they will
    be tried sequentially. If a negative response is received from
    a server, the authentication will fail. If no response is received,
    the next server in the list will be tried. To specify multiple
    servers, separate the server names with commas and surround the list
    with double quotes. If multiple servers are specified, the other
    RADIUS options can also be given as comma-separated lists, to provide
    individual values for each server. They can also be specified as
    a single value, in which case that value will apply to all servers.
   </para>

   <para>
    The following configuration options are supported for RADIUS:
     <variablelist>
      <varlistentry>
       <term><literal>radiusservers</literal></term>
       <listitem>
        <para>
         The DNS names or IP addresses of the RADIUS servers to connect to.
         This parameter is required.
        </para>
       </listitem>
      </varlistentry>

      <varlistentry>
       <term><literal>radiussecrets</literal></term>
       <listitem>
        <para>
         The shared secrets used when talking securely to the RADIUS
         servers. This must have exactly the same value on the PostgreSQL
         and RADIUS servers. It is recommended that this be a string of
         at least 16 characters. This parameter is required.
         <note>
         <para>
          The encryption vector used will only be cryptographically
          strong if <productname>PostgreSQL</productname> is built with support for
          <productname>OpenSSL</productname>. In other cases, the transmission to the
          RADIUS server should only be considered obfuscated, not secured, and
          external security measures should be applied if necessary.
         </para>
         </note>
        </para>
       </listitem>
      </varlistentry>

      <varlistentry>
       <term><literal>radiusports</literal></term>
       <listitem>
        <para>
         The port numbers to connect to on the RADIUS servers. If no port
         is specified, the default RADIUS port (<literal>1812</literal>)
         will be used.
        </para>
       </listitem>
      </varlistentry>

      <varlistentry>
       <term><literal>radiusidentifiers</literal></term>
       <listitem>
        <para>
         The strings to be used as <literal>NAS