From 3ccd4fe74646edda63c3741409f278924571fbba Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Tue, 16 May 2006 19:15:29 +0000
Subject: [PATCH] Import "disable bind_anon" clarifications from HEAD

---
 CHANGES                      |  1 +
 doc/guide/admin/security.sdf | 13 ++++++++-----
 doc/man/man5/slapd.conf.5    |  3 ++-
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 315e0a734c..76d74d3b6d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -46,6 +46,7 @@ OpenLDAP 2.3.22 Release
 		Fixed test033-glue-syncrepl overlay detection (ITS#4544)
 	Documentation
 		Fixed slapd(8) logging header reference (ITS#4509)
+		Clarified slapd.conf(5) "disable bind_anon" feature
 
 OpenLDAP 2.3.21 Release
 	Fixed libldap referral chasing issue (ITS#4448)
diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf
index 38044b651b..8dcfcc5390 100644
--- a/doc/guide/admin/security.sdf
+++ b/doc/guide/admin/security.sdf
@@ -117,15 +117,18 @@ The LDAP "simple" method has three modes of operation:
 * unauthenticated, and
 * user/password authenticated.
 
-Anonymous access is obtained by providing no name and no password
-to the "simple" bind operation.  Unauthenticated access is obtained
-by providing a name but no password.  Authenticated access is obtain
-by providing a valid name and password.
+Anonymous access is requested by providing no name and no password
+to the "simple" bind operation.  Unauthenticated access is requested
+by providing a name but no password.  Authenticated access is
+requested by providing a valid name and password.
 
 An anonymous bind results in an {{anonymous}} authorization
 association.  Anonymous bind mechanism is enabled by default, but
 can be disabled by specifying "{{EX:disallow bind_anon}}" in
-{{slapd.conf}}(5).
+{{slapd.conf}}(5).  Note that disabling the anonymous bind mechanism
+does not prevent anonymous access to the directory.  To require
+authentication to access the directory, one should instead
+specify "{{EX:require authc}}".
 
 An unauthenticated bind also results in an {{anonymous}} authorization
 association.  Unauthenticated bind mechanism is disabled by default,
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index c19ea76f75..3c8dc530ed 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -407,7 +407,8 @@ Base scoped search requests with an empty base DN are not affected.
 Specify a set of features (separated by white space) to
 disallow (default none).
 .B bind_anon
-disables acceptance of anonymous bind requests.
+disables acceptance of anonymous bind requests.  Note that this setting
+does not prohibit anonymous directory access (See "require authc").
 .B bind_simple
 disables simple (bind) authentication.
 .B tls_2_anon
-- 
2.39.5