privileges to authenticated clients.
.SH OPERATION REQUIREMENTS
Operations require different privileges on different portions of entries.
-.TP
+The following summary applies to primary database backends such as
+the LDBM, BDB, and HDB backends. Requirements for other backends may
+(and often do) differ.
+.LP
The
.B add
-operation requires
-.B write
-privileges on the meta-attribute
+operation requires
+.B write (=w)
+privileges on the pseudo-attribute
.B entry
of the entry being added, and
-.B write
-privileges on the meta-attribute
+.B write (=w)
+privileges on the pseudo-attribute
.B children
of the entry's parent.
-.TP
+.LP
The
.B bind
operation, when credentials are stored in the directory, requires
-.B auth
+.B auth (=x)
privileges on the attribute the credentials are stored in (usually
.BR userPassword ).
-.TP
+.LP
The
.B compare
operation requires
-.B compare
+.B compare (=c)
privileges on the attribute that is being compared.
-.B FIXME: should it require also compare privileges on the entry's meta-attribute?
-.TP
+.LP
The
.B delete
operation requires
-.B write
-privileges on the meta-attribute
+.B write (=w)
+privileges on the pseudo-attribute
.B entry
of the entry being deleted, and
-.B write
+.B write (=w)
privileges on the
.B children
-meta-attribute of the entry's parent.
-.TP
+pseudo-attribute of the entry's parent.
+.LP
The
.B modify
operation requires
-.B write
+.B write (=w)
privileges on the attibutes being modified.
-.TP
+.LP
The
.B modrdn
operation requires
-.B write
-privileges on the meta-attribute
+.B write (=w)
+privileges on the pseudo-attribute
.B entry
of the entry whose relative DN is being modified,
-.B write
-privileges on the meta-attribute
+.B write (=w)
+privileges on the pseudo-attribute
.B children
of the old and new entry's parents, and
-.B write
+.B write (=w)
privileges on the attributes that are present in the new relative DN.
-.B Write
+.B Write (=w)
privileges are also required on the attributes that are present
in the old relative DN if
.B deleteoldrdn
is set to 1.
-.TP
+.LP
The
.B search
operation, for each entry, requires
-.B search
+.B search (=s)
privileges on the attributes that are defined in the filter.
Then, the resulting entries are tested for
-.B read
-privileges on the meta-attribute
+.B read (=r)
+privileges on the pseudo-attribute
.B entry
+(for read access to the entry itself)
and for
-.B read
+.B read (=r)
access on each value of each attribute that is requested.
-.B Referrals
-are also checked for
-.B read
-access on the meta-attribute
-.BR entry .
+Also, for each
+.B referral
+object used in generating continuation references, the operation requires
+.B read (=r)
+access on the pseudo-attribute
+.B entry
+(for read access to the referral object itself),
+as well as
+.B read (=r)
+access to the attribute holding the referral information
+(generally the
+.B ref
+attribute).
.SH CAVEATS
It is strongly recommended to explicitly use the most appropriate
DN
projects / openldap / commitdiff