ITS#5400

diff --git a/CHANGES b/CHANGES
index a158fefc472166fb8c39b52611ad7c5c0880ce74..d6a05aabf7382b7b503e5963da079a2439870a30 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -20,6 +20,8 @@ OpenLDAP 2.4.9 Engineering
        Fixed slapo-syncprov/glue search ops (ITS#5434)
        Fixed slapo-syncprov null cookie (ITS#5437,#5444)
        Fixed slapo-syncprov double-free (ITS#5445)
+       Documentation
+               Fixed slapd.access(5) authz-regexp documented behavior (ITS#5400)
 
 OpenLDAP 2.4.8 Release (2008/02/19)
        Fixed ldapmodify verbose logging (ITS#5247)

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index 0fbb1e1fc306c493ede9f344c7186160cd4a4cae..1709ff9eb4c73a8a69a9d0d4317ba6a4122a1a15 100644 (file)
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -952,7 +952,8 @@ operation, requires
 .B search (=s)
 privileges on the 
 .B entry
-pseudo-attribute of the searchBase (NOTE: this was introduced with 2.3).
+pseudo-attribute of the searchBase
+(NOTE: this was introduced with OpenLDAP 2.4).
 Then, for each entry, it requires
 .B search (=s)
 privileges on the attributes that are defined in the filter.
@@ -998,6 +999,10 @@ privileges are also required on the
 attribute of the authorizing identity and/or on the 
 .B authzFrom
 attribute of the authorized identity.
+In general, when an internal lookup is performed for authentication
+or authorization purposes, search-specific privileges (see the access
+requirements for the search operation illustrated above) are relaxed to
+.BR auth .
 
 .LP
 Access control to search entries is checked by the frontend,