From: Kurt Zeilenga Date: Sun, 18 May 2003 21:54:00 +0000 (+0000) Subject: Misc. updates from HEAD X-Git-Tag: OPENLDAP_REL_ENG_2_1_20~3 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=cb16835f0939384f88b73f32a66066964f8afe51;p=openldap Misc. updates from HEAD --- diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 index 6194db5b58..0d3d50fb83 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 @@ -65,6 +65,9 @@ library should connect. Each server's name can be specified as a domain-style name or an IP address and optionally followed by a ':' and the port number the ldap server is listening on. A space separated list of hosts may be provided. +.B HOST +is deprecated in favor of +.BR URI . .TP .B PORT Specifies the default port used when connecting to LDAP servers(s). @@ -208,7 +211,14 @@ If OpenLDAP is built with support for Transport Layer Security, there are more options you can specify. .TP .B TLS -Specifies whether client connections should use TLS by default. The +Specifies whether client connections should use ldaps:// by default. +This option is deprecated in favor of the +.B URI +option. Using the +.B TLS +option may break some applications. +.LP +The .B can be specified as one of the following keywords: .RS diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5 index fa6b945214..11b0a7fc8b 100644 --- a/doc/man/man5/slapd.access.5 +++ b/doc/man/man5/slapd.access.5 @@ -424,7 +424,43 @@ or the (even more silly) example .fi .LP which grants everybody search and compare privileges, and adds read -privileges to authenticated users. +privileges to authenticated clients. +.SH CAVEATS +It is strongly recommended to explicitly use the most appropriate +DN +.BR style , +to avoid possible +incorrect specifications of the access rules as well +as for performance (avoid unrequired regex matching when +an exact match suffices) reasons. +.LP +An adminisistrator might create a rule of the form: +.LP +.nf + access to dn="dc=example,dc=com" + by ... +.fi +.LP +expecting it to match all entries in the subtree "dc=example,dc=com". +However, this rule actually matches any DN which contains anywhere +the substring "dc=example,dc=com". That is, the rule matches both +"uid=joe,dc=example,dc=com" and "dc=example,dc=com,uid=joe". +.LP +To match the desired subtree, the rule would be more precisely +written: +.LP +.nf + access to dn.regex="^(.+,)?dc=example,dc=com$$" + by ... +.fi +.LP +For performance reasons, it would be better to use the subtree style. +.LP +.nf +access to dn.subtree="dc=example,dc=com" + by ... +.fi +.LP .SH FILES .TP ETCDIR/slapd.conf