clearly indicate what the default rules are

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index 65818ca7263d5c4252191d1ed1ac2eebeac56233..b17c83afabfeaaf0d3022e24867b41277749683f 100644 (file)
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -52,6 +52,11 @@ directives are defined for a backend or those which are defined are
 not applicable, the directives from the global configuration section
 are then used.
 .LP
+If no access controls are present, the default policy
+allows anyone and everyone to read anything but restricts
+updates to rootdn.  (e.g., "access to * by * read").
+The rootdn can always read and write EVERYTHING!
+.LP
 For entries not held in any backend (such as a root DSE), the
 directives of the first backend (and any global directives) are
 used.

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index e4aa7d485e82eccff8ebeee6016bd4e77218b291..c1a5aa2597f5cb6d18a46c8b7b8047f8155ff017 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -79,6 +79,10 @@ actual text are shown in brackets <>.
 Grant access (specified by <access>) to a set of entries and/or
 attributes (specified by <what>) by one or more requestors (specified
 by <who>).
+If no access controls are present, the default policy
+allows anyone and everyone to read anything but restricts
+updates to rootdn.  (e.g., "access to * by * read").
+The rootdn can always read and write EVERYTHING!
 See
 .BR slapd.access (5)
 and the "OpenLDAP's Administrator's Guide" for details.