From 141ac1031cd12d689c6a6b86833661e2868495f1 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Tue, 19 Jul 2005 00:29:52 +0000 Subject: [PATCH] reword the description of listener permissions --- doc/man/man8/slapd.8 | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 index 43876d916d..8b7a5bb77c 100644 --- a/doc/man/man8/slapd.8 +++ b/doc/man/man8/slapd.8 @@ -159,19 +159,22 @@ Support for the latter two schemes depends on selected configuration options. Hosts may be specified by name or IPv4 and IPv6 address formats. Ports, if specified, must be numeric. The default ldap:// port is 389 and the default ldaps:// port is 636. -The socket permissions for LDAP over IPC are indicated by + +The listener permissions are indicated by "x-mod=-rwxrwxrwx", "x-mod=0777" or "x-mod=777", where any -of the "rwx" can be "-" to suppress the related permission (note, -however, that sockets only honor the "w" permission), while any +of the "rwx" can be "-" to suppress the related permission, while any of the "7" can be any legal octal digit, according to chmod(1). -While LDAP over IPC requires write permissions on the socket to allow -any operation, the other listeners can take advantage of the "x-mod" -extension to apply rough limitations to users, e.g. allow read operations +The listeners can take advantage of the "x-mod" +extension to apply rough limitations to operations, e.g. allow read operations ("r", which applies to search and compare), write operations ("w", which applies to add, delete, modify and modrdn), and execute operations ("x", which means bind is required). -"User" permissions apply to bound users, while "other" apply -to anonymous users. +"User" permissions apply to authenticated users, while "other" apply +to anonymous users; "group" permissions are ignored. +For example, "ldap:///????x-mod=-rw-------" means that read and write is only allowed +for authenticated connections, and bind is required for all operations. +This feature is experimental, and requires to be manually enabled +at configure time. .TP .BI \-r " directory" Specifies a directory to become the root directory. slapd will -- 2.39.5