> rootdn "uid=root,cn=example.com,cn=digest-md5,cn=auth"
+See the {{SECT:SASL Authentication}} section for information on
+SASL authentication identities.
+
H4: rootpw <password>
This directive can be used to specifies a password for the DN for
-the rootdn.
+the rootdn (when the rootdn is set to a DN within the database).
\Example:
> rootpw secret
-It is also permissible to provide hash of the password in
-RFC 2307 form. {{slappasswd}}(8) may be used to generate
-the password hash.
+It is also permissible to provide hash of the password in RFC 2307
+form. {{slappasswd}}(8) may be used to generate the password hash.
\Example:
The hash was generated using the command {{EX:slappasswd -s secret}}.
-This directive is deprecated in favor of SASL based authentication.
-
H4: suffix <dn suffix>
> attrs=<attribute list>
-Access to the entry itself must be granted or denied using the
-special attribute name "{{EX:entry}}". Note that giving access to an
-attribute is not enough; access to the entry itself through the
-{{EX:entry}} attribute is also required. The complete examples at
-the end of this section should help clear things up.
+There are two special {{psuedo}} attributes {{EX:entry}} and
+{{EX:children}}. To read (and hence return) an target entry, the
+subject must have {{EX:read}} access to the target's {{entry}}
+attribute. To add or delete an entry, the subject must have
+{{EX:write}} access to the entry's parent's {{EX:children}} attribute.
+To rename an entry, the subject must have {{EX:write}} access to
+both the old parent's and new parent's {{EX:children}} attributes.
+The complete examples at the end of this section should help clear
+things up.
Lastly, there is a special entry selector {{EX:"*"}} that is used to
select any entry. It is used when no other {{EX:<what>}}
projects / openldap / blobdiff