allow "expand" style in peername, sockname, sockurl as well; more sanity checks

[openldap] / doc / man / man5 / slapd-ldap.5

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index be5ddf1c05d202567772749a56ef82d1a1b1573e..884d305c24fd179cf390b59041ef9a83f341166e 100644 (file)
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -1,5 +1,5 @@
 .TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 .TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"

-.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.

 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" $OpenLDAP$
 .SH NAME
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" $OpenLDAP$
 .SH NAME


@@ -68,21 +68,22 @@ should have read access on the target server to attributes used on the
 proxy for acl checking.
 There is no risk of giving away such values; they are only used to
 check permissions.
 proxy for acl checking.
 There is no risk of giving away such values; they are only used to
 check permissions.

-.RS
-Note: the
-.B binddn 
-/
-.B bindpw
-values are also used to propagate user authorization by means of the 
-.B proxyAuthz 
-mechanism when operations performed by users bound to another backend 
-are propagated to back-ldap.
+.TP
+.B bindpw <password>
+Password used with the bind DN above.
+.TP
+.B proxyauthzdn "<administrative DN for proxyAuthz purposes>"
+DN which is used to propagate the client's identity to the target
+by means of the proxyAuthz control when the client does not
+belong to the DIT fragment that is being proxyied by back-ldap.
+This is useful when operations performed by users bound to another 
+backend are propagated through back-ldap.

 This requires the entry with 
 This requires the entry with 

-.B binddn 
-DN on the remote server to have
+.B proxyauthzdn 
+identity on the remote server to have

 .B proxyAuthz
 privileges on a wide set of DNs, e.g.
 .B proxyAuthz
 privileges on a wide set of DNs, e.g.

-.BR saslAuthzTo=regex:.* ,
+.BR saslAuthzTo=dn.regex:.* ,

 and the remote server to have
 .B sasl-authz-policy
 set to 
 and the remote server to have
 .B sasl-authz-policy
 set to 


@@ -93,10 +94,9 @@ See
 .BR slapd.conf (5)
 for details on these statements and for remarks and drawbacks about
 their usage.
 .BR slapd.conf (5)
 for details on these statements and for remarks and drawbacks about
 their usage.

-.RE

 .TP
 .TP

-.B bindpw <password>
-Password used with the bind DN above.
+.B proxyauthzpw <password>
+Password used with the proxy authz DN above.

 .TP
 .B proxy-whoami
 Turns on proxying of the WhoAmI extended operation. If this option is
 .TP
 .B proxy-whoami
 Turns on proxying of the WhoAmI extended operation. If this option is