# $OpenLDAP$
-# Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved.
+# Copyright 1999-2012 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Access Control
As a consequence, it's useless (and results in a performance penalty) to explicitly
list the {{rootdn}} among the {{<by>}} clauses.
-The following sections will describe Access Control Lists in more details and
-follow with some examples and recommendations.
+The following sections will describe Access Control Lists in greater depth and
+follow with some examples and recommendations. See {{slapd.access}}(5) for
+complete details.
H2: Access Control via Static Configuration
H3: Controlling rootdn access
-You could specify the {{rootdn}} in {{slapd.conf}}(5) or {[slapd.d}} without
+You could specify the {{rootdn}} in {{slapd.conf}}(5) or {{slapd.d}} without
specifying a {{rootpw}}. Then you have to add an actual directory entry with
the same dn, e.g.:
> by group.exact="cn=Administrators,dc=example,dc=com" write
> by * auth
-Like by {[dn}} clauses, one can also use {{expand}} to expand the group name
+Like by {{dn}} clauses, one can also use {{expand}} to expand the group name
based upon the regular expression matching of the target, that is, the to {{dn.regex}}).
For instance,
The general rule is: "special access rules first, generic access rules last"
-See also {{slapd.access}}(8), loglevel 128 and {{slapacl}}(8) for debugging
+See also {{slapd.access}}(5), loglevel 128 and {{slapacl}}(8) for debugging
information.
write access to the specified attributes. Better yet, this will happen to any
entry she accesses which has Mary as the manager.
-This is all cool and nice, but perhaps gives to much power to secretaries. Maybe we need to further
+This is all cool and nice, but perhaps gives too much power to secretaries. Maybe we need to further
restrict it. For example, let's only allow executive secretaries to have this power:
> access to dn.exact="uid=john,ou=people,dc=example,dc=com"