clarify the use of regex and expand in by dn clauses

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index 32cb9b72f693e9920d0b4d38e4ff80f4c7e4ec41..763e449edf8e296800d99915b4d62b616403e40f 100644 (file)
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -261,8 +261,8 @@ the dollar character that is used to indicate match up to the end of
 the string must be escaped by a second dollar character, e.g.
 .LP
 .nf
-        access to dn.regex="^(.*,)?uid=([^,]+),dc=example,dc=com$"
-                by dn.regex="^uid=$1,dc=example,dc=com$$" write
+    access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$"
+        by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write
 .fi
 .LP
 The style qualifier
@@ -275,6 +275,30 @@ even if
 .B dnstyle
 is not 
 .BR regex .
+Note that the 
+.I regex 
+dnstyle in the above example may be of use only if the 
+.B by
+clause needs to be a regex; otherwise, if the
+value of the second (from the right)
+.I dc=
+portion of the DN in the above example were fixed, the form
+.LP
+.nf
+    access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$"
+        by dn.exact,expand="uid=$2,dc=example,dc=com" write
+.fi
+.LP
+could be used; if it had to match the value in the 
+.B what
+clause, the form
+.LP
+.nf
+    access to dn.regex="^(.+,)?uid=([^,]+),dc=([^,]+),dc=com$"
+        by dn.exact,expand="uid=$2,dc=$3,dc=com" write
+.fi
+.LP
+could be used.
 .LP
 It is perfectly useless to give any access privileges to a DN 
 that exactly matches the