.TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
.B exact
(an alias of
.BR base )
-indicates the entry whose DN is equal to the pattern.
+indicates the entry whose DN is equal to the pattern;
.B one
+(synonym of
+.BR onelevel )
indicates all the entries immediately below the
.BR pattern ,
-.B subtree
+.B sub
+(synonym of
+.BR subtree )
indicates all entries in the subtree at the pattern,
.B children
indicates all the entries below (subordinate to) the pattern.
.B <attrlist>
that are prefixed by
.B @
-are directly treated as objectClass names, while names that
-do not correspond to an attribute type are also searched
-in the objectclass set.
-This latter behavior is deprecated and might not be supported
-in future releases.
-A name prefixed by
+are directly treated as objectClass names. A name prefixed by
.B !
is also treated as an objectClass, but in this case the access rule
affects the attributes that are not required nor allowed
.LP
.nf
<level> ::= none|auth|compare|search|read|write
- <priv> ::= {=|+|-}{w|r|s|c|x}+
+ <priv> ::= {=|+|-}{w|r|s|c|x|0}+
.fi
.LP
The modifier
for compare, and
.B x
for authentication.
-More than one privilege can be added in one statement.
+More than one of the above privileges can be added in one statement.
+.B 0
+indicates no privileges and is used only by itself (e.g., +0).
.LP
The optional field
.B <control>
(generally the
.B ref
attribute).
+.LP
+Some
+.B controls
+require specific access privileges.
+The
+.B proxyAuthz
+control requires
+.B auth (=x)
+privileges on all the attributes that are present in the search filter
+of the URI regexp maps (the right-hand side of the
+.B sasl-regexp
+directives).
+It also requires
+.B auth (=x)
+privileges on the
+.B saslAuthzTo
+attribute of the authorizing identity and/or on the
+.B saslAuthzFrom
+attribute of the authorized identity.
.SH CAVEATS
It is strongly recommended to explicitly use the most appropriate
.BR <dnstyle> ,