One important issue is that access rules are based on the identity
that issued the operation.
After massaging from the virtual to the real naming context, the
-frontend sees the operation as performed by the identty in the
+frontend sees the operation as performed by the identity in the
real naming context.
Moreover, since
.B back-relay
database relay
suffix "dc=virtual,dc=naming,dc=context"
overlay rwm
- suffixmassage "dc=virtual,dc=naming,dc=context"
- "dc=real,dc=naming,dc=context"
+ suffixmassage "dc=real,dc=naming,dc=context"
.fi
.LP
This is useful, for instance, to relay different databases that
and in the
.BR "virtual naming context" ,
respectively.
+.SH ACCESS CONTROL
+The
+.B relay
+backend does not honor any of the access control semantics described in
+.BR slapd.access (5);
+all access control is delegated to the relayed database(s).
+Only
+.B read (=r)
+access to the
+.B entry
+pseudo-attribute and to the other attribute values of the entries
+returned by the
+.B search
+operation is honored, which is performed by the frontend.
.SH FILES
.TP
ETCDIR/slapd.conf
.SH EXAMPLES
There are example SQL modules in the slapd/back-sql/rdbms_depend/
directory in the OpenLDAP source tree.
+.SH ACCESS CONTROL
+The
+.B sql
+backend honors access control semantics as indicated in
+.BR slapd.access (5),
+including the
+.B disclose
+access privilege.
.SH FILES
.TP
projects / openldap / commitdiff