s/2.3/2.4/ and more (ITS#5400)

author Pierangelo Masarati <ando@openldap.org>

Sat, 1 Mar 2008 16:06:37 +0000 (16:06 +0000)

committer Pierangelo Masarati <ando@openldap.org>

Sat, 1 Mar 2008 16:06:37 +0000 (16:06 +0000)
author Pierangelo Masarati <ando@openldap.org>
Sat, 1 Mar 2008 16:06:37 +0000 (16:06 +0000)
committer Pierangelo Masarati <ando@openldap.org>
Sat, 1 Mar 2008 16:06:37 +0000 (16:06 +0000)
diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5

index 0fbb1e1fc306c493ede9f344c7186160cd4a4cae..1709ff9eb4c73a8a69a9d0d4317ba6a4122a1a15 100644 (file)
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -952,7 +952,8 @@ operation, requires
  .B search (=s)
  privileges on the 
  .B entry
-pseudo-attribute of the searchBase (NOTE: this was introduced with 2.3).
+pseudo-attribute of the searchBase
+(NOTE: this was introduced with OpenLDAP 2.4).
  Then, for each entry, it requires
  .B search (=s)
  privileges on the attributes that are defined in the filter.
@@ -998,6 +999,10 @@ privileges are also required on the
  attribute of the authorizing identity and/or on the 
  .B authzFrom
  attribute of the authorized identity.
+In general, when an internal lookup is performed for authentication
+or authorization purposes, search-specific privileges (see the access
+requirements for the search operation illustrated above) are relaxed to
+.BR auth .
  
  .LP
  Access control to search entries is checked by the frontend,
author	Pierangelo Masarati <ando@openldap.org>
	Sat, 1 Mar 2008 16:06:37 +0000 (16:06 +0000)
committer	Pierangelo Masarati <ando@openldap.org>
	Sat, 1 Mar 2008 16:06:37 +0000 (16:06 +0000)