.TH SLAPD-SHELL 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
make it easy to tie an existing database to the
.B slapd
front-end.
+.LP
+This backend is is primarily intended to be used in prototypes.
.SH WARNING
-.B "This backend's calling conventions have changed since OpenLDAP 2.0."
-The abandon operation now gets a new "pid:" line.
-The "msgid:" lines will be removed in a future version.
+The
+.B abandon
+shell command has been removed since OpenLDAP 2.1.
.SH CONFIGURATION
These
.B slapd.conf
execute in response to the given LDAP operation.
Each option is followed by the input lines that the program receives:
.TP
-.B abandon <pathname> <argument>...
-.nf
-ABANDON
-msgid: <message ID of operation to abandon>
-<repeat { "suffix:" <database suffix DN> }>
-pid: <process ID of operation to abandon>
-.fi
-.TP
.B add <pathname> <argument>...
.nf
ADD
Operations for which a command is not supplied will be refused with an
"unwilling to perform" error.
.LP
-The commands - except \fBabandon\fP and \fBunbind\fP - should output:
+The \fBsearch\fP command should output the entries in LDIF format,
+each entry followed by a blank line, and after these the RESULT below.
+.LP
+All commands except \fBunbind\fP should then output:
.RS
.nf
RESULT
info: <text>
.fi
.RE
-where only RESULT is mandatory.
-The \fBsearch\fP RESULT should be preceded by the entries in LDIF
-format, each entry followed by a blank line.
+where only the RESULT line is mandatory.
Lines starting with `#' or `DEBUG:' are ignored.
+.SH ACCESS CONTROL
+The
+.B shell
+backend does not honor all ACL semantics as described in
+.BR slapd.access (5).
+In general, access to objects is checked by using a dummy object
+that contains only the DN, so access rules that rely on the contents
+of the object are not honored.
+In detail:
+.LP
+The
+.B add
+operation does not require
+.B write (=w)
+access to the
+.B children
+pseudo-attribute of the parent entry.
+.LP
+The
+.B bind
+operation requires
+.B auth (=x)
+access to the
+.B entry
+pseudo-attribute of the entry whose identity is being assessed;
+.B auth (=x)
+access to the credentials is not checked, but rather delegated
+to the underlying shell script.
+.LP
+The
+.B compare
+operation requires
+.B read (=r)
+access (FIXME: wouldn't
+.B compare (=c)
+be a more appropriate choice?)
+to the
+.B entry
+pseudo-attribute
+of the object whose value is being asserted;
+.B compare (=c)
+access to the attribute whose value is being asserted is not checked.
+.LP
+The
+.B delete
+operation does not require
+.B write (=w)
+access to the
+.B children
+pseudo-attribute of the parent entry.
+.LP
+The
+.B modify
+operation requires
+.B write (=w)
+access to the
+.B entry
+pseudo-attribute;
+.B write (=w)
+access to the specific attributes that are modified is not checked.
+.LP
+The
+.B modrdn
+operation does not require
+.B write (=w)
+access to the
+.B children
+pseudo-attribute of the parent entry, nor to that of the new parent,
+if different;
+.B write (=w)
+access to the distinguished values of the naming attributes
+is not checked.
+.LP
+The
+.B search
+operation does not require
+.B search (=s)
+access to the
+.B entry
+pseudo_attribute of the searchBase;
+.B search (=s)
+access to the attributes and values used in the filter is not checked.
+
.SH EXAMPLE
There is an example search script in the slapd/back-shell/ directory
in the OpenLDAP source tree.
When using the shell backend,
.BR slapd (8)
should be built
-.IR --without-thread .
+.IR --without-threads .
.SH FILES
.TP
ETCDIR/slapd.conf