Merge branch 'mdb.master' of ssh://git-master.openldap.org/~git/git/openldap

[openldap] / doc / man / man5 / slapd.access.5

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index e6cb8ae95a5e3a2404753e54d524b80460c613ac..0b11805952ad1cf409ad4c948f1b93c538198aec 100644 (file)
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -1,5 +1,5 @@
 .TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 .TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"

-.\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2011 The OpenLDAP Foundation All Rights Reserved.

 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" $OpenLDAP$
 .SH NAME
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" $OpenLDAP$
 .SH NAME


@@ -54,7 +54,15 @@ are then used.
 If no access controls are present, the default policy
 allows anyone and everyone to read anything but restricts
 updates to rootdn.  (e.g., "access to * by * read").
 If no access controls are present, the default policy
 allows anyone and everyone to read anything but restricts
 updates to rootdn.  (e.g., "access to * by * read").

-The rootdn can always read and write EVERYTHING!
+.LP
+When dealing with an access list, because the global access list is 
+effectively appended to each per-database list, if the resulting 
+list is non-empty then the access list will end with an implicit 
+.B access to * by * none
+directive. If there are no access directives applicable to a backend, 
+then a default read is used.
+.LP
+.B Be warned: the rootdn can always read and write EVERYTHING!

 .LP
 For entries not held in any backend (such as a root DSE), the
 global directives are used.
 .LP
 For entries not held in any backend (such as a root DSE), the
 global directives are used.


@@ -188,7 +196,7 @@ as detailed in
 and/or
 .BR re_format (7),
 matching a normalized string representation of the entry's DN.
 and/or
 .BR re_format (7),
 matching a normalized string representation of the entry's DN.

-The regex form of the pattern does not (yet) support UTF\-8.
+The regex form of the pattern does not (yet) support UTF-8.

 .LP
 The statement
 .B filter=<ldapfilter>
 .LP
 The statement
 .B filter=<ldapfilter>


@@ -249,6 +257,24 @@ resulting in base, onelevel, subtree or children match, respectively.
 The dn, filter, and attrs statements are additive; they can be used in sequence 
 to select entities the access rule applies to based on naming context,
 value and attribute type simultaneously.
 The dn, filter, and attrs statements are additive; they can be used in sequence 
 to select entities the access rule applies to based on naming context,
 value and attribute type simultaneously.

+Submatches resulting from
+.B regex
+matching can be dereferenced in the
+.B <who>
+field using the syntax
+.IR ${v<n>} ,
+where
+.I <n>
+is the submatch number.
+The default syntax,
+.IR $<n> ,
+is actually an alias for
+.IR ${d<n>} ,
+that corresponds to dereferencing submatches from the
+.B dnpattern
+portion of the
+.B <what>
+field.

 .SH THE <WHO> FIELD
 The field
 .B <who>
 .SH THE <WHO> FIELD
 The field
 .B <who>


@@ -302,7 +328,7 @@ with
        <groupstyle>={exact|expand}
        <peernamestyle>={<style>|ip|ipv6|path}
        <domainstyle>={exact|regex|sub(tree)}
        <groupstyle>={exact|expand}
        <peernamestyle>={<style>|ip|ipv6|path}
        <domainstyle>={exact|regex|sub(tree)}

-       <setstyle>={exact|regex}
+       <setstyle>={exact|expand}

        <modifier>={expand}
        <name>=aci              <pattern>=<attrname>]
 .fi
        <modifier>={expand}
        <name>=aci              <pattern>=<attrname>]
 .fi


@@ -714,7 +740,7 @@ Its component are defined as
 .LP
 .nf
        <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
 .LP
 .nf
        <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage

-       <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
+       <priv> ::= {=|+|\-}{0|d|x|c|s|r|{w|a|z}|m}+

 .fi
 .LP
 The modifier
 .fi
 .LP
 The modifier


@@ -790,7 +816,7 @@ access privileges will be only those defined by the clause.
 The 
 .B +
 and
 The 
 .B +
 and

-.B -
+.B \-

 signs add/remove access privileges to the existing ones.
 The privileges are
 .B m
 signs add/remove access privileges to the existing ones.
 The privileges are
 .B m


@@ -919,7 +945,7 @@ Add content ACL checking has been configured on
 the database (see the
 .BR slapd.conf (5)
 or
 the database (see the
 .BR slapd.conf (5)
 or

-.BR slapd-config (5)
+.BR slapd\-config (5)

 manual page),
 .B add (=a)
 will be required on all of the attributes being added.
 manual page),
 .B add (=a)
 will be required on all of the attributes being added.


@@ -1059,12 +1085,12 @@ Access control to search entries is checked by the frontend,
 so it is fully honored by all backends; for all other operations
 and for the discovery phase of the search operation,
 full ACL semantics is only supported by the primary backends, i.e.
 so it is fully honored by all backends; for all other operations
 and for the discovery phase of the search operation,
 full ACL semantics is only supported by the primary backends, i.e.

-.BR back-bdb (5),
+.BR back\-bdb (5),

 and
 and

-.BR back-hdb (5).
+.BR back\-hdb (5).

 
 Some other backend, like
 
 Some other backend, like

-.BR back-sql (5),
+.BR back\-sql (5),

 may fully support them; others may only support a portion of the 
 described semantics, or even differ in some aspects.
 The relevant details are described in the backend-specific man pages.
 may fully support them; others may only support a portion of the 
 described semantics, or even differ in some aspects.
 The relevant details are described in the backend-specific man pages.


@@ -1147,7 +1173,7 @@ ETCDIR/slapd.conf
 default slapd configuration file
 .SH SEE ALSO
 .BR slapd (8),
 default slapd configuration file
 .SH SEE ALSO
 .BR slapd (8),

-.BR slapd-* (5),
+.BR slapd\-* (5),

 .BR slapacl (8),
 .BR regex (7),
 .BR re_format (7)
 .BR slapacl (8),
 .BR regex (7),
 .BR re_format (7)