From 43fc90ae98965a65c61ac95942d9557fec49122f Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Tue, 1 Aug 2006 01:09:53 +0000 Subject: [PATCH] Update RFC references fix "require" inheritance and handling of "none" (ITS#4574) Add access control note to authz-regexp discussion ITS#4613 note that lastmod also controls entryCSN and entryUUID --- doc/man/man5/slapd.conf.5 | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 3c8dc530ed..f1f67a559a 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -130,8 +130,8 @@ a trailing `-') matches all options starting with that name, as well as the option with the range name sans the trailing `-'. That is, `x-foo-bar-' matches `x-foo-bar' and `x-foo-bar-baz'. -RFC 2251 reserves options beginning with `x-' for private experiments. -Other options should be registered with IANA, see RFC 3383 section 3.4. +RFC 4520 reserves options beginning with `x-' for private experiments. +Other options should be registered with IANA, see RFC 4520 section 3.5. OpenLDAP also has the `binary' option built in, but this is a transfer option, not a tagging option. .HP @@ -150,8 +150,8 @@ option, not a tagging option. [NO\-USER\-MODIFICATION]\ [USAGE\ ]\ )" .RS -Specify an attribute type using the LDAPv3 syntax defined in RFC 2252. -The slapd parser extends the RFC 2252 definition by allowing string +Specify an attribute type using the LDAPv3 syntax defined in RFC 4512. +The slapd parser extends the RFC 4512 definition by allowing string forms as well as numeric OIDs to be used for the attribute OID and attribute syntax OID. (See the @@ -371,6 +371,8 @@ e.g. .RE The protocol portion of the URI must be strictly .BR ldap . +Note that this search is subject to access controls. Specifically, +the authentication identity must have "auth" access in the subject. Multiple .B authz-regexp @@ -428,8 +430,8 @@ dissallow the StartTLS operation if authenticated (see also [MAY\ ]\ [NOT\ ]\ )" .RS -Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 2252. -The slapd parser extends the RFC 2252 definition by allowing string +Specify an DIT Content Rule using the LDAPv3 syntax defined in RFC 4512. +The slapd parser extends the RFC 4512 definition by allowing string forms as well as numeric OIDs to be used for the attribute OID and attribute syntax OID. (See the @@ -633,8 +635,8 @@ the path is colon-separated but this depends on the operating system. [{ ABSTRACT | STRUCTURAL | AUXILIARY }]\ [MUST\ ] [MAY\ ] )" .RS -Specify an objectclass using the LDAPv3 syntax defined in RFC 2252. -The slapd parser extends the RFC 2252 definition by allowing string +Specify an objectclass using the LDAPv3 syntax defined in RFC 4512. +The slapd parser extends the RFC 4512 definition by allowing string forms as well as numeric OIDs to be used for the object class OID. (See the .B @@ -735,7 +737,9 @@ waits before checking the replogfile for changes. .B require Specify a set of conditions (separated by white space) to require (default none). -The directive may be specified globally and/or per-database. +The directive may be specified globally and/or per-database; +databases inherit global conditions, so per-database specifications +are additive. .B bind requires bind operation prior to directory operations. .B LDAPv3 @@ -749,8 +753,9 @@ requires strong authentication prior to directory operations. The strong keyword allows protected "simple" authentication as well as SASL authentication. .B none -may be used to require no conditions (useful for clearly globally -set conditions within a particular database). +may be used to require no conditions (useful to clear out globally +set conditions within a particular database); it must occur first +in the list of conditions. .TP .B reverse-lookup on | off Enable/disable client name unverified reverse lookup (default is @@ -1072,7 +1077,9 @@ Controls whether .B slapd will automatically maintain the modifiersName, modifyTimestamp, creatorsName, and -createTimestamp attributes for entries. By default, lastmod is on. +createTimestamp attributes for entries. It also controls +the entryCSN and entryUUID attributes, which are needed +by the syncrepl provider. By default, lastmod is on. .TP .B limits [ [...]] Specify time and size limits based on who initiated an operation. -- 2.39.5