From: Pierangelo Masarati <ando@openldap.org>
Date: Thu, 18 Dec 2003 00:27:01 +0000 (+0000)
Subject: some notes on access required by proxyAuthz control;
X-Git-Tag: OPENLDAP_REL_ENG_2_1_MP~156
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=ca52621c1beb690e0c4a897330c4a763d63e8268;p=openldap

some notes on access required by proxyAuthz control;
note that other controls may need different access
privileges via, e.g., backend_attribute() (syncrepl?)
---

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index f2bbcde75b..c01b7ce4ba 100644
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -584,6 +584,25 @@ access to the attribute holding the referral information
 (generally the
 .B ref
 attribute).
+.LP
+Some
+.B controls
+require specific access privileges.
+The
+.B proxyAuthz
+control requires
+.B auth (=x)
+privileges on all the attributes that are present in the search filter
+of the URI regexp maps (the right-hand side of the
+.B sasl-regexp
+directives).
+It also requires
+.B auth (=x)
+privileges on the
+.B saslAuthzTo
+attribute of the authorizing identity and/or on the 
+.B saslAuthzFrom
+attribute of the authorized identity.
 .SH CAVEATS
 It is strongly recommended to explicitly use the most appropriate
 .BR <dnstyle> ,