X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fslapd-shell.5;h=1589b6557555d601403a282e63109a3f6bcc4bb1;hb=3164c73276a9d4af56c81f315199acecbb207217;hp=4a339a7067b6d41fe6e76c9cfafeee99ed1cc411;hpb=feef99c76075fc32635668522a3b821f709c3c6d;p=openldap diff --git a/doc/man/man5/slapd-shell.5 b/doc/man/man5/slapd-shell.5 index 4a339a7067..1589b65575 100644 --- a/doc/man/man5/slapd-shell.5 +++ b/doc/man/man5/slapd-shell.5 @@ -1,5 +1,5 @@ .TH SLAPD-SHELL 5 "RELEASEDATE" "OpenLDAP LDVERSION" -.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME @@ -121,7 +121,10 @@ want the backend to handle. Operations for which a command is not supplied will be refused with an "unwilling to perform" error. .LP -The commands - except \fBunbind\fP - should output: +The \fBsearch\fP command should output the entries in LDIF format, +each entry followed by a blank line, and after these the RESULT below. +.LP +All commands except \fBunbind\fP should then output: .RS .nf RESULT @@ -130,10 +133,91 @@ matched: info: .fi .RE -where only RESULT is mandatory. -The \fBsearch\fP RESULT should be preceded by the entries in LDIF -format, each entry followed by a blank line. +where only the RESULT line is mandatory. Lines starting with `#' or `DEBUG:' are ignored. +.SH ACCESS CONTROL +The +.B shell +backend does not honor all ACL semantics as described in +.BR slapd.access (5). +In general, access to objects is checked by using a dummy object +that contains only the DN, so access rules that rely on the contents +of the object are not honored. +In detail: +.LP +The +.B add +operation does not require +.B write (=w) +access to the +.B children +pseudo-attribute of the parent entry. +.LP +The +.B bind +operation requires +.B auth (=x) +access to the +.B entry +pseudo-attribute of the entry whose identity is being assessed; +.B auth (=x) +access to the credentials is not checked, but rather delegated +to the underlying shell script. +.LP +The +.B compare +operation requires +.B read (=r) +access (FIXME: wouldn't +.B compare (=c) +be a more appropriate choice?) +to the +.B entry +pseudo-attribute +of the object whose value is being asserted; +.B compare (=c) +access to the attribute whose value is being asserted is not checked. +.LP +The +.B delete +operation does not require +.B write (=w) +access to the +.B children +pseudo-attribute of the parent entry. +.LP +The +.B modify +operation requires +.B write (=w) +access to the +.B entry +pseudo-attribute; +.B write (=w) +access to the specific attributes that are modified is not checked. +.LP +The +.B modrdn +operation does not require +.B write (=w) +access to the +.B children +pseudo-attribute of the parent entry, nor to that of the new parent, +if different; +.B write (=w) +access to the distinguished values of the naming attributes +is not checked. +.LP +The +.B search +operation does not require +.B search (=s) +access to the +.B entry +pseudo_attribute of the searchBase; +.B search (=s) +access to the attributes and values used in the filter is not checked. + .SH EXAMPLE There is an example search script in the slapd/back-shell/ directory in the OpenLDAP source tree.