more clarifications on dnstyle usage

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index e1496e29f2286008d7ec13213639b3665008b374..8e48197957a7501d67d124806d0fbab519dc7a21 100644 (file)
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -591,8 +591,7 @@ access to the attribute holding the referral information
 attribute).
 .SH CAVEATS
 It is strongly recommended to explicitly use the most appropriate
-DN 
-.BR style ,
+.BR <dnstyle> ,
 to avoid possible incorrect specifications of the access rules as well
 as for performance (avoid unrequired regex matching when an exact
 match suffices) reasons.
@@ -624,6 +623,40 @@ For performance reasons, it would be better to use the subtree style.
                by ...
 .fi
 .LP
+When writing submatch rules, it may be convenient to avoid unnecessary
+.B regex
+.B <dnstyle>
+use; for instance, to allow access to the subtree of the user 
+that matches the
+.B what
+clause, one could use
+.LP
+.nf
+       access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$"
+               by dn.regex="^uid=$1,dc=example,dc=com$$" write
+               by ...
+.fi
+.LP
+However, since all that is required in the 
+.B to
+clause is substring expansion, a more efficient solution is
+.LP
+.nf
+       access to dn.regex="^(.+,)?uid=([^,]+),dc=example,dc=com$$"
+               by dn.exact,expand="uid=$1,dc=example,dc=com" write
+               by ...
+.fi
+.LP
+In fact, while a
+.B <dnstyle>
+of
+.B regex
+implies substring expansion, 
+.BR exact ,
+as well as all the other DN specific
+.B <dnstyle>
+values, does not, so it must be explicitly requested.
+.LP
 .SH FILES
 .TP
 ETCDIR/slapd.conf