Sync with HEAD

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index 219a5addaaddd991b90e55db3305f80e7e149a09..4769fa62740af552a4383b0dee5f2be957bf3178 100644 (file)
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -74,7 +74,7 @@ It can have the forms
        *
        [dn[.<dnstyle>]=<DN>] 
        [filter=<ldapfilter>]
-       [attrs=<attrlist>]
+       [attrs=<attrlist>[ val[.<style>]=<attrval>]]
 .fi
 .LP
 The wildcard
@@ -124,6 +124,20 @@ indicating access to the entry itself, and
 indicating access to the entry's children. ObjectClass names may also
 be specified in this list, which will affect all the attributes that
 are required and/or allowed by that objectClass.
+Actually, names in 
+.B <attrlist>
+that are prefixed by
+.B @
+are directly treated as objectClass names, while names that 
+do not correspond to an attribute type are also searched 
+in the objectclass set.
+This latter behavior is deprecated and might not be supported
+in future releases.
+A name prefixed by
+.B !
+is also treated as an objectClass, but in this case the access rule
+affects the attributes that are not required nor allowed 
+by that objectClass.
 .LP
 Using the form
 .B attrs=<attr> val[.<style>]=<value>
@@ -133,11 +147,20 @@ In this case, only a single attribute type may be given. A value
 of
 .B exact
 (the default) uses the attribute's equality matching rule to compare the
-value. If the
+value. If the value
 .B <style>
 is
 .BR regex ,
 the provided value is used as a regular expression pattern.
+If the attribute has DN syntax, the value
+.B <style>
+can be any of
+.BR base ,
+.BR onelevel ,
+.B subtree
+or
+.BR children ,
+resulting in base, onelevel, subtree or children match, respectively.
 .LP
 The dn, filter, and attrs statements are additive; they can be used in sequence 
 to select entities the access rule applies to based on naming context,
@@ -568,8 +591,7 @@ access to the attribute holding the referral information
 attribute).
 .SH CAVEATS
 It is strongly recommended to explicitly use the most appropriate
-DN 
-.BR style ,
+.BR <dnstyle> ,
 to avoid possible incorrect specifications of the access rules as well
 as for performance (avoid unrequired regex matching when an exact
 match suffices) reasons.
@@ -601,6 +623,40 @@ For performance reasons, it would be better to use the subtree style.
                by ...
 .fi
 .LP
+When writing submatch rules, it may be convenient to avoid unnecessary
+.B regex
+.B <dnstyle>
+use; for instance, to allow access to the subtree of the user 
+that matches the
+.B what
+clause, one could use
+.LP
+.nf
+       access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$"
+               by dn.regex="^uid=$1,dc=example,dc=com$$" write
+               by ...
+.fi
+.LP
+However, since all that is required in the 
+.B to
+clause is substring expansion, a more efficient solution is
+.LP
+.nf
+       access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$"
+               by dn.exact,expand="uid=$1,dc=example,dc=com" write
+               by ...
+.fi
+.LP
+In fact, while a
+.B <dnstyle>
+of
+.B regex
+implies substring expansion, 
+.BR exact ,
+as well as all the other DN specific
+.B <dnstyle>
+values, does not, so it must be explicitly requested.
+.LP
 .SH FILES
 .TP
 ETCDIR/slapd.conf