Add note about "children" to access controls section.

[openldap] / doc / guide / admin / slapdconfig.sdf

diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf
index 3e8c0850d23d9a78930cf0d687458eeb34da04d9..66ce3cf42d99e0d929c79b0b570745debb8e88ca 100644 (file)
--- a/doc/guide/admin/slapdconfig.sdf
+++ b/doc/guide/admin/slapdconfig.sdf
@@ -627,11 +627,15 @@ selector:
 
 >      attrs=<attribute list>
 
-Access to the entry itself must be granted or denied using the
-special attribute name "{{EX:entry}}". Note that giving access to an
-attribute is not enough; access to the entry itself through the
-{{EX:entry}} attribute is also required. The complete examples at
-the end of this section should help clear things up.
+There are two special {{psuedo}} attributes {{EX:entry}} and
+{{EX:children}}.  To read (and hence return) an target entry, the
+subject must have {{EX:read}} access to the target's {{entry}}
+attribute.  To add or delete an entry, the subject must have
+{{EX:write}} access to the entry's parent's {{EX:children}} attribute.
+To rename an entry, the subject must have {{EX:write}} access to
+both the old parent's and new parent's {{EX:children}} attributes.
+The complete examples at the end of this section should help clear
+things up.
 
 Lastly, there is a special entry selector {{EX:"*"}} that is used to
 select any entry.  It is used when no other {{EX:<what>}}