From 76cb3243d35ce1a5fa4e223a45e089b7d4dba69b Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Fri, 14 Jun 2002 20:53:52 +0000 Subject: [PATCH] Misc cleanup --- doc/guide/admin/runningslapd.sdf | 2 +- doc/guide/admin/sasl.sdf | 31 ++++++++++++++++--------------- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/doc/guide/admin/runningslapd.sdf b/doc/guide/admin/runningslapd.sdf index a6155f86e9..b6ddc6c70c 100644 --- a/doc/guide/admin/runningslapd.sdf +++ b/doc/guide/admin/runningslapd.sdf @@ -91,7 +91,7 @@ additive, you can do the math yourself. That is, if you want to trace function calls and watch the config file being processed, you could set level to the sum of those two levels (in this case, {{EX: -d 65}}). Or, you can let slapd do the -math, (e.g. {{EX: -d 1 -d 64}}). Consult {{F: }} for +math, (e.g. {{EX: -d 1 -d 64}}). Consult {{F: }} for more details. Note: slapd must have been compiled with {{EX:-DLDAP_DEBUG}} diff --git a/doc/guide/admin/sasl.sdf b/doc/guide/admin/sasl.sdf index d2c61fcf96..53b886730d 100644 --- a/doc/guide/admin/sasl.sdf +++ b/doc/guide/admin/sasl.sdf @@ -475,21 +475,22 @@ put into LDAP entries to allow authorization: > saslAuthzTo > saslAuthzFrom -Both can be multivalued. The first is called a source rule, and it -is placed into a person's authentication DN entry to tell what -other authorization DN's the person is allowed to change to. The -second form is called a destination rule, and it is placed into an -authorization DN's entry to tell what authenticated DN a person -must be coming from in order to switch to that authorization DN. -The choice of which form to use is up to the administrator. Source -rules are checked first in the person's authentication DN entry, -and if none of the {{EX:saslAuthzTo}} rules specify the authorization -is permitted, the {{EX:saslAuthzFrom}} rules in the authorization -DN entry are then checked. If neither case specifies that the -request be honored, the request is denied with an "inappropriate -access" message. Since the default behaviour is to deny authorization -requests, rules only specify that a request be allowed; there are -no negative rules telling what authorizations to deny. +Both can be multivalued. The {{EX:saslAuthzTo}} attribute is a +source rule, and it is placed into the entry associated with the +authentication DN to tell what authorization DNs the authenticated +DN is allowed to assume. The second attribute is a destination +rule, and it is placed into the entry associated with the requested +authorization DN to tell which authenticated DNs may assume it. + +The choice of which authorization policy attribute to use is up to +the administrator. Source rules are checked first in the person's +authentication DN entry, and if none of the {{EX:saslAuthzTo}} rules +specify the authorization is permitted, the {{EX:saslAuthzFrom}} +rules in the authorization DN entry are then checked. If neither +case specifies that the request be honored, the request is denied. +Since the default behaviour is to deny authorization requests, rules +only specify that a request be allowed; there are no negative rules +telling what authorizations to deny. The value(s) in the two attributes are of the same form as the output of the replacement pattern of a {{EX:saslRegexp}} directive: -- 2.39.5