clarify global ACL use

clarify root and subschema DSE ACLs

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index db0a91e844ec94c323264d0001ec5f8b91d50feb..fa6b945214c45c14de5540f0599c7301784d10cb 100644 (file)
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -40,16 +40,20 @@ is as follows:
     ...
 .fi
 .LP
-Both the global configuration and each backend-specific section can contain
-access information.
-Backend-specific access control directives are used for those entries
-that belong to the backend, according to their naming context.
-In case no access control directives are defined for a backend, 
-the appropriate directives from the global configuration section
-are used.
-.LP
-Arguments that should be replaced by actual text are shown in brackets <>.
-The structure of the access control directives is
+Both the global configuration and each backend-specific section can
+contain access information.  Backend-specific access control
+directives are used for those entries that belong to the backend,
+according to their naming context.  In case no access control
+directives are defined for a backend or those which are defined are
+not applicable, the directives from the global configuration section
+are then used.
+.LP
+For entries not held in any backend (such as a root DSE), the
+directives of the first backend (and any global directives) are
+used.
+.LP
+Arguments that should be replaced by actual text are shown in
+brackets <>.  The structure of the access control directives is
 .TP
 .B access to <what> "[ by <who> <access> [ <control> ] ]+"
 Grant access (specified by