ITS#5554

[openldap] / doc / guide / admin / appendix-upgrading.sdf

diff --git a/doc/guide/admin/appendix-upgrading.sdf b/doc/guide/admin/appendix-upgrading.sdf
index 98b8a8fe67830835322cf939b44bb79607c0c528..a0504266bdd6e62fa8df63dfe013f962f1cd2fed 100644 (file)
--- a/doc/guide/admin/appendix-upgrading.sdf
+++ b/doc/guide/admin/appendix-upgrading.sdf
@@ -37,6 +37,22 @@ entries like below, just remove them from the relevant ldif file.
 
 >           olcReplicationInterval: value #0: <olcReplicationInterval> keyword is obsolete (ignored)
 
+H2: ACLs: searches require privileges on the search base
+
+Search operations now require "search" privileges on the "entry" pseudo-attribute of the search
+base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search
+bases.
+
+For example, assuming you have the following ACL:
+
+>           access to dn.sub="ou=people,dc=example,dc=com" by * search
+
+Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL:
+
+>           access to dn.base="dc=example,dc=com" attrs=entry by * search
+
+Note: The {{slapd.access}}(5) man page states that this requirement was introduced
+with OpenLDAP 2.3. However, it is the default behavior only since 2.4.