document new flag values for identity assertion

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index 1df057ef8b9e141fee4ca8cf0f0db77c58323135..f36edf25a58415409a32a8976546c62565601867 100644 (file)
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -231,6 +231,10 @@ permissions, or the asserted identities must have appropriate
 permissions.  Note, however, that the ID assertion feature is mostly 
 useful when the asserted identities do not exist on the remote server.
 
+Flags can be
+
+\fBoverride,{prescriptive|non-prescriptive}\fP
+
 When the 
 .B override
 flag is used, identity assertion takes place even when the database
@@ -239,6 +243,20 @@ with the provided identity, and thus authenticating it, the proxy
 performs the identity assertion using the configured identity and
 authentication method.
 
+When the
+.B prescriptive
+flag is used (the default), operations fail with
+\fIinappropriateAuthentication\fP
+for those identities whose assertion is not allowed by the
+.B idassert-authzFrom
+patterns.
+If the 
+.B non-prescriptive
+flag is used, operations are performed anonymously for those identities 
+whose assertion is not allowed by the
+.B idassert-authzFrom
+patterns.
+
 This directive obsoletes
 .BR idassert-authcDN ,
 .BR idassert-passwd ,