From 15502d87aece9537c905769a3b96975169d7d8b8 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 16 Nov 2006 15:09:47 +0000 Subject: [PATCH] Add note about access controls on config backend --- doc/man/man5/slapd-config.5 | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index 7d73e58b9f..67e1612d49 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -1055,14 +1055,22 @@ attributes (specified by ) by one or more requestors (specified by ). If no access controls are present, the default policy allows anyone and everyone to read anything but restricts -updates to rootdn. (e.g., "olcAccess: to * by * read"). Access -controls set in the frontend are appended to any access -controls set on the specific databases. -The rootdn of a database can always read and write EVERYTHING -in that database! +updates to rootdn. (e.g., "olcAccess: to * by * read"). See .BR slapd.access (5) and the "OpenLDAP Administrator's Guide" for details. + +Access controls set in the frontend are appended to any access +controls set on the specific databases. +The rootdn of a database can always read and write EVERYTHING +in that database. + +Extra special care must be taken with the access controls on the +config database. Unlike other databases, the default policy for the +config database is to only allow access to the rootdn. Regular users +should not have read access, and write access should be granted very +carefully to privileged administrators. + .TP .B olcDefaultSearchBase: Specify a default search base to use when client submits a -- 2.39.5