Add global access control.

diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf
index 7fd3b82ec6ab3f30e88c4fc69b9cefa5417d3353..79f9054a3d408c7388cb1fc284011118e28ee51d 100644 (file)
--- a/doc/guide/admin/slapdconfig.sdf
+++ b/doc/guide/admin/slapdconfig.sdf
@@ -810,10 +810,11 @@ database instances. The line numbers shown are provided for
 reference only and are not included in the actual file. First, the
 global configuration section:
 
-E: 1.  # example config file - global configuration section
-E: 2.  include /usr/local/etc/schema/core.schema
-E: 3.  referral ldap://root.openldap.org
-
+E:  1. # example config file - global configuration section
+E:  2. include /usr/local/etc/schema/core.schema
+E:  3. referral ldap://root.openldap.org
+E:  4. access to * by * read
+ 
 Line 1 is a comment. Lines 2 include another config file
 which containing {{core}} schema definitions.
 The {{EX:referral}} directive on line 3
@@ -821,6 +822,11 @@ means that queries not local to one of the databases defined
 below will be referred to the LDAP server running on the
 standard port (389) at the host {{EX:root.openldap.org}}.
 
+Line 4 is a global access control.  It is applied after any
+applicable database access control.  Note that requests to
+read objects which are not held by any backend (such as
+the Root DSE) are only controlled by global directives.
+
 The next section of the configuration file defines an LDBM
 backend that will handle queries for things in the
 "dc=example,dc=com" portion of the tree. The
@@ -829,59 +835,59 @@ truelies, the other on judgmentday. Indexes are to be
 maintained for several attributes, and the {{EX:userPassword}}
 attribute is to be protected from unauthorized access.
 
-E:  4. # ldbm definition for the example.com
-E:  5. database ldbm
-E:  6. suffix "dc=example, dc=com"
-E:  7. directory /usr/local/var/openldap
-E:  8. rootdn "cn=Manager, dc=example, dc=com"
-E:  9. rootpw secret
-E: 10. # replication directives
-E: 11. replogfile /usr/local/var/openldap/slapd.replog
-E: 12. replica host=slave1.example.com:389
-E: 13.         binddn="cn=Replicator, dc=example, dc=com"
-E: 14.         bindmethod=simple credentials=secret
-E: 15. replica host=slave2.example.com
-E: 16.         binddn="cn=Replicator, dc=example, dc=com"
-E: 17.         bindmethod=simple credentials=secret
-E: 18. # indexed attribute definitions
-E: 19. index uid pres,eq
-E: 20. index cn,sn,uid pres,eq,approx,sub
-E: 21. index objectClass eq
-E: 22. # ldbm access control definitions
-E: 23. access to attr=userPassword
-E: 24.         by self write
-E: 25.         by anonymous auth
-E: 26.         by dn="cn=Admin,dc=example,dc=com" write
-E: 27.         by * none
-E: 28. access to *
-E: 29.         by self write
-E: 30.         by anonymous auth
-E: 31.         by dn="cn=Admin,dc=example,dc=com" write
-E: 32.         by * read
-
-Line 4 is a comment. The start of the database definition is
-marked by the database keyword on line 5. Line 6 specifies
-the DN suffix for queries to pass to this database. Line 7
+E:  5. # ldbm definition for the example.com
+E:  6. database ldbm
+E:  7. suffix "dc=example, dc=com"
+E:  8. directory /usr/local/var/openldap
+E:  9. rootdn "cn=Manager, dc=example, dc=com"
+E: 10. rootpw secret
+E: 11. # replication directives
+E: 12. replogfile /usr/local/var/openldap/slapd.replog
+E: 13. replica host=slave1.example.com:389
+E: 14.         binddn="cn=Replicator, dc=example, dc=com"
+E: 15.         bindmethod=simple credentials=secret
+E: 16. replica host=slave2.example.com
+E: 17.         binddn="cn=Replicator, dc=example, dc=com"
+E: 18.         bindmethod=simple credentials=secret
+E: 19. # indexed attribute definitions
+E: 20. index uid pres,eq
+E: 21. index cn,sn,uid pres,eq,approx,sub
+E: 22. index objectClass eq
+E: 23. # ldbm access control definitions
+E: 24. access to attr=userPassword
+E: 25.         by self write
+E: 26.         by anonymous auth
+E: 27.         by dn="cn=Admin,dc=example,dc=com" write
+E: 28.         by * none
+E: 29. access to *
+E: 30.         by self write
+E: 31.         by anonymous auth
+E: 32.         by dn="cn=Admin,dc=example,dc=com" write
+E: 33.         by * read
+
+Line 5 is a comment. The start of the database definition is
+marked by the database keyword on line 6. Line 7 specifies
+the DN suffix for queries to pass to this database. Line 8
 specifies the directory in which the database files will live
 
-Lines 8 and 9 identify the database "super user" entry and
+Lines 9 and 10 identify the database "super user" entry and
 associated password. This entry is not subject to access
 control or size or time limit restrictions.
 
-Lines 10 through 17 are for replication. Line 10 specifies the
+Lines 11 through 18 are for replication. Line 11 specifies the
 replication log file (where changes to the database are logged
-\- this file is written by slapd and read by slurpd). Lines 11 
-through 13 specify the hostname and port for a replicated
+\- this file is written by slapd and read by slurpd). Lines 12 
+through 14 specify the hostname and port for a replicated
 host, the DN to bind as when performing updates, the bind
 method (simple) and the credentials (password) for the
-binddn. Lines 14 through 17 specify a second replication site.
+binddn. Lines 15 through 18 specify a second replication site.
 See the {{SECT:Replication with slurpd}} chapter for more
 information on these directives.
 
-Lines 19 through 21 indicate the indexes to maintain for
+Lines 20 through 22 indicate the indexes to maintain for
 various attributes.
 
-Lines 23 through 32 specify access control for entries in the
+Lines 24 through 33 specify access control for entries in the
 database. For all entries, the {{EX:userPassword}} attribute is
 writable by the entry and the "admin" entry, may be used for
 authentication/authorization purposes, but is otherwise not