From 54f70247f42fe57041e7f31f7229c15d08310d17 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Tue, 20 May 2008 02:17:58 +0000
Subject: [PATCH] ITS#5512

---
 CHANGES                                |  2 ++
 doc/guide/admin/access-control.sdf     |  8 ++++++--
 doc/guide/admin/appendix-upgrading.sdf | 16 ++++++++++++++++
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 729670a76b..296bfd5951 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,8 @@ OpenLDAP 2.4.10 Engineering
 	Fixed slapo-syncprov csn update with delta-syncrepl (ITS#5493)
 	Fixed slapo-syncprov op2.o_extra reset (ITS#5506)
 	Fixed slapo-syncprov sending ops without queued CSNs (ITS#5465)
+	Documentation
+		Add search privileges documentation (ITS#5512)
 
 OpenLDAP 2.4.9 Release (2008/05/07)
 	Fixed libldap to use unsigned port (ITS#5436)
diff --git a/doc/guide/admin/access-control.sdf b/doc/guide/admin/access-control.sdf
index a60a341052..aedd96680f 100644
--- a/doc/guide/admin/access-control.sdf
+++ b/doc/guide/admin/access-control.sdf
@@ -137,7 +137,9 @@ attribute name and also using a value selector:
 There are two special {{pseudo}} attributes {{EX:entry}} and
 {{EX:children}}.  To read (and hence return) a target entry, the
 subject must have {{EX:read}} access to the target's {{entry}}
-attribute.  To add or delete an entry, the subject must have
+attribute.  To perform a search, the subject must have
+{{EX:search}} access to the search base's {{entry}} attribute.
+To add or delete an entry, the subject must have
 {{EX:write}} access to the entry's {{EX:entry}} attribute AND must
 have {{EX:write}} access to the entry's parent's {{EX:children}}
 attribute.  To rename an entry, the subject must have {{EX:write}}
@@ -552,7 +554,9 @@ attribute name and also using a value selector:
 There are two special {{pseudo}} attributes {{EX:entry}} and
 {{EX:children}}.  To read (and hence return) a target entry, the
 subject must have {{EX:read}} access to the target's {{entry}}
-attribute.  To add or delete an entry, the subject must have
+attribute.  To perform a search, the subject must have
+{{EX:search}} access to the search base's {{entry}} attribute.
+To add or delete an entry, the subject must have
 {{EX:write}} access to the entry's {{EX:entry}} attribute AND must
 have {{EX:write}} access to the entry's parent's {{EX:children}}
 attribute.  To rename an entry, the subject must have {{EX:write}}
diff --git a/doc/guide/admin/appendix-upgrading.sdf b/doc/guide/admin/appendix-upgrading.sdf
index 98b8a8fe67..a0504266bd 100644
--- a/doc/guide/admin/appendix-upgrading.sdf
+++ b/doc/guide/admin/appendix-upgrading.sdf
@@ -37,6 +37,22 @@ entries like below, just remove them from the relevant ldif file.
 
 >           olcReplicationInterval: value #0: <olcReplicationInterval> keyword is obsolete (ignored)
 
+H2: ACLs: searches require privileges on the search base
+
+Search operations now require "search" privileges on the "entry" pseudo-attribute of the search
+base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search
+bases.
+
+For example, assuming you have the following ACL:
+
+>           access to dn.sub="ou=people,dc=example,dc=com" by * search
+
+Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL:
+
+>           access to dn.base="dc=example,dc=com" attrs=entry by * search
+
+Note: The {{slapd.access}}(5) man page states that this requirement was introduced
+with OpenLDAP 2.3. However, it is the default behavior only since 2.4.
 
 
 
-- 
2.39.5