From 9565ec4bbd7ca148abef037553aad8f7144660a3 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Sun, 3 Jul 2005 23:18:08 +0000
Subject: [PATCH] document new flag values for identity assertion

---
 doc/man/man5/slapd-ldap.5 | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index 1df057ef8b..f36edf25a5 100644
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -231,6 +231,10 @@ permissions, or the asserted identities must have appropriate
 permissions.  Note, however, that the ID assertion feature is mostly 
 useful when the asserted identities do not exist on the remote server.
 
+Flags can be
+
+\fBoverride,{prescriptive|non-prescriptive}\fP
+
 When the 
 .B override
 flag is used, identity assertion takes place even when the database
@@ -239,6 +243,20 @@ with the provided identity, and thus authenticating it, the proxy
 performs the identity assertion using the configured identity and
 authentication method.
 
+When the
+.B prescriptive
+flag is used (the default), operations fail with
+\fIinappropriateAuthentication\fP
+for those identities whose assertion is not allowed by the
+.B idassert-authzFrom
+patterns.
+If the 
+.B non-prescriptive
+flag is used, operations are performed anonymously for those identities 
+whose assertion is not allowed by the
+.B idassert-authzFrom
+patterns.
+
 This directive obsoletes
 .BR idassert-authcDN ,
 .BR idassert-passwd ,
-- 
2.39.5