The \fBsearch\fP RESULT should be preceded by the entries in LDIF
format, each entry followed by a blank line.
Lines starting with `#' or `DEBUG:' are ignored.
+.SH ACCESS CONTROL
+The
+.B shell
+backend does not honor all ACL semantics as described in
+.BR slapd.access (5).
+In general, access to objects is checked by using a dummy object
+that contains only the DN, so access rules that rely on the contents
+of the object are not honored.
+In detail:
+.LP
+The
+.B add
+operation does not require
+.B write (=w)
+access to the
+.B children
+pseudo-attribute of the parent entry.
+.LP
+The
+.B bind
+operation requires
+.B auth (=x)
+access to the
+.B entry
+pseudo-attribute of the entry whose identity is being assessed;
+.B auth (=x)
+access to the credentials is not checked, but rather delegated
+to the underlying shell script.
+.LP
+The
+.B compare
+operation requires
+.B read (=r)
+access (FIXME: wouldn't
+.B compare (=c)
+be a more appropriate choice?)
+to the
+.B entry
+pseudo-attribute
+of the object whose value is being asserted;
+.B compare (=c)
+access to the attribute whose value is being asserted is not checked.
+.LP
+The
+.B delete
+operation does not require
+.B write (=w)
+access to the
+.B children
+pseudo-attribute of the parent entry.
+.LP
+The
+.B modify
+operation requires
+.B write (=w)
+access to the
+.B entry
+pseudo-attribute;
+.B write (=w)
+access to the specific attributes that are modified is not checked.
+.LP
+The
+.B modrdn
+operation does not require
+.B write (=w)
+access to the
+.B children
+pseudo-attribute of the parent entry, nor to that of the new parent,
+if different;
+.B write (=w)
+access to the distinguished values of the naming attributes
+is not checked.
+.LP
+The
+.B search
+operation does not require
+.B search (=s)
+access to the
+.B entry
+pseudo_attribute of the searchBase;
+.B search (=s)
+access to the attributes and values used in the filter is not checked.
+
.SH EXAMPLE
There is an example search script in the slapd/back-shell/ directory
in the OpenLDAP source tree.
attribute of the authorized identity.
.LP
-Some backends do not honor all the above rules. In detail:
-
-.TP
-.B bacl-ldap/back-meta
-\fIdo not check\fP
-.B write (=w)
-access, since it is delegated to the remote host(s) serving
-the naming context.
-The same applies to checking
-.B search (=s)
-access to the
-.B entry
-pseudo-attribute of the
-.B searchBase
-of a search operation,
-.B search (=s)
-access to the attributes used in the
-.BR searchFilter ,
-and
-.B disclose (=d)
-access to the
-.B entry
-pseudo-attribute of any object in case of error: all those checks
-are delegated to the remote host(s).
-In any case,
-.B read (=r)
-access is honored locally by the frontend.
+Access control to search entries is checked by the frontend,
+so it is fully honored by all backends; for all other operations
+and for the discovery phase of the search operation,
+full ACL semantics is only supported by the primary backends, i.e.
+.BR back-bdb (5),
+.BR back-hdb (5),
+and
+.BR back-ldbm (5).
-.TP
-.B back-shell
-requires
-.B write (=w)
-access to the
-.B entry
-pseudo-attribute for the modify operation; in the meanwhile,
-\fIwrite access to the specific attributes that are modified
-is not checked\fP.
+Some other backend, like
+.BR back-sql (5),
+may fully support them; others may only support a portion of the
+described semantics, or even differ in some aspects.
+The relevant details are described in the backend-specific man pages.
.SH CAVEATS
It is strongly recommended to explicitly use the most appropriate
default slapd configuration file
.SH SEE ALSO
.BR slapd (8),
+.BR slapd-* (5),
.BR slapacl (8),
.BR regex (7),
.BR re_format (7)
projects / openldap / commitdiff