From 8feffa6091a88fbd32d7bd8e035b688c55c63c17 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Sat, 9 Apr 2005 00:44:17 +0000
Subject: [PATCH] further fulfilment of ITS#3639

---
 doc/man/man5/slapd-null.5  |  5 +++++
 doc/man/man5/slapd-relay.5 | 19 ++++++++++++++++---
 doc/man/man5/slapd-sql.5   |  8 ++++++++
 3 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/doc/man/man5/slapd-null.5 b/doc/man/man5/slapd-null.5
index ee4272f38e..5164a7c459 100644
--- a/doc/man/man5/slapd-null.5
+++ b/doc/man/man5/slapd-null.5
@@ -42,6 +42,11 @@ suffix   "cn=Nothing"
 bind     on
 .fi
 .RE
+.SH ACCESS CONTROL
+The
+.B null
+backend does not honor any of the access control semantics described in
+.BR slapd.access (5).
 .SH FILES
 .TP
 ETCDIR/slapd.conf
diff --git a/doc/man/man5/slapd-relay.5 b/doc/man/man5/slapd-relay.5
index 5a165f3b5b..8aeead99c2 100644
--- a/doc/man/man5/slapd-relay.5
+++ b/doc/man/man5/slapd-relay.5
@@ -52,7 +52,7 @@ directives described in
 One important issue is that access rules are based on the identity
 that issued the operation.
 After massaging from the virtual to the real naming context, the
-frontend sees the operation as performed by the identty in the
+frontend sees the operation as performed by the identity in the
 real naming context.
 Moreover, since
 .B back-relay
@@ -110,8 +110,7 @@ that looks up the real naming context for each operation, use
   database        relay
   suffix          "dc=virtual,dc=naming,dc=context"
   overlay         rwm
-  suffixmassage   "dc=virtual,dc=naming,dc=context"
-          "dc=real,dc=naming,dc=context"
+  suffixmassage   "dc=real,dc=naming,dc=context"
 .fi
 .LP
 This is useful, for instance, to relay different databases that
@@ -176,6 +175,20 @@ clause) are in the
 and in the
 .BR "virtual naming context" ,
 respectively.
+.SH ACCESS CONTROL
+The
+.B relay
+backend does not honor any of the access control semantics described in
+.BR slapd.access (5);
+all access control is delegated to the relayed database(s).
+Only
+.B read (=r)
+access to the
+.B entry
+pseudo-attribute and to the other attribute values of the entries
+returned by the
+.B search
+operation is honored, which is performed by the frontend.
 .SH FILES
 .TP
 ETCDIR/slapd.conf
diff --git a/doc/man/man5/slapd-sql.5 b/doc/man/man5/slapd-sql.5
index 03d31c381f..d7411e555f 100644
--- a/doc/man/man5/slapd-sql.5
+++ b/doc/man/man5/slapd-sql.5
@@ -649,6 +649,14 @@ for details.
 .SH EXAMPLES
 There are example SQL modules in the slapd/back-sql/rdbms_depend/
 directory in the OpenLDAP source tree.
+.SH ACCESS CONTROL
+The 
+.B sql
+backend honors access control semantics as indicated in
+.BR slapd.access (5),
+including the 
+.B disclose
+access privilege.
 .SH FILES
 
 .TP
-- 
2.39.5