From 75b9f8acdc626041190468939fbf045e2c83e104 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Mon, 15 Dec 2003 18:41:23 +0000 Subject: [PATCH] Make a few OPERATIONAL REQUIREMENT clarifications Clean up formating --- doc/man/man5/slapd.access.5 | 81 +++++++++++++++++++++---------------- 1 file changed, 46 insertions(+), 35 deletions(-) diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5 index 171b341d97..219a5addaa 100644 --- a/doc/man/man5/slapd.access.5 +++ b/doc/man/man5/slapd.access.5 @@ -474,87 +474,98 @@ which grants everybody search and compare privileges, and adds read privileges to authenticated clients. .SH OPERATION REQUIREMENTS Operations require different privileges on different portions of entries. -.TP +The following summary applies to primary database backends such as +the LDBM, BDB, and HDB backends. Requirements for other backends may +(and often do) differ. +.LP The .B add -operation requires -.B write -privileges on the meta-attribute +operation requires +.B write (=w) +privileges on the pseudo-attribute .B entry of the entry being added, and -.B write -privileges on the meta-attribute +.B write (=w) +privileges on the pseudo-attribute .B children of the entry's parent. -.TP +.LP The .B bind operation, when credentials are stored in the directory, requires -.B auth +.B auth (=x) privileges on the attribute the credentials are stored in (usually .BR userPassword ). -.TP +.LP The .B compare operation requires -.B compare +.B compare (=c) privileges on the attribute that is being compared. -.B FIXME: should it require also compare privileges on the entry's meta-attribute? -.TP +.LP The .B delete operation requires -.B write -privileges on the meta-attribute +.B write (=w) +privileges on the pseudo-attribute .B entry of the entry being deleted, and -.B write +.B write (=w) privileges on the .B children -meta-attribute of the entry's parent. -.TP +pseudo-attribute of the entry's parent. +.LP The .B modify operation requires -.B write +.B write (=w) privileges on the attibutes being modified. -.TP +.LP The .B modrdn operation requires -.B write -privileges on the meta-attribute +.B write (=w) +privileges on the pseudo-attribute .B entry of the entry whose relative DN is being modified, -.B write -privileges on the meta-attribute +.B write (=w) +privileges on the pseudo-attribute .B children of the old and new entry's parents, and -.B write +.B write (=w) privileges on the attributes that are present in the new relative DN. -.B Write +.B Write (=w) privileges are also required on the attributes that are present in the old relative DN if .B deleteoldrdn is set to 1. -.TP +.LP The .B search operation, for each entry, requires -.B search +.B search (=s) privileges on the attributes that are defined in the filter. Then, the resulting entries are tested for -.B read -privileges on the meta-attribute +.B read (=r) +privileges on the pseudo-attribute .B entry +(for read access to the entry itself) and for -.B read +.B read (=r) access on each value of each attribute that is requested. -.B Referrals -are also checked for -.B read -access on the meta-attribute -.BR entry . +Also, for each +.B referral +object used in generating continuation references, the operation requires +.B read (=r) +access on the pseudo-attribute +.B entry +(for read access to the referral object itself), +as well as +.B read (=r) +access to the attribute holding the referral information +(generally the +.B ref +attribute). .SH CAVEATS It is strongly recommended to explicitly use the most appropriate DN -- 2.39.5