From 9ebcd375e46b5401879b8a33e2c7607c7a96d6e0 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Fri, 17 Oct 2008 00:00:46 +0000
Subject: [PATCH] minor clarifications

---
 doc/man/man5/slapd.conf.5 | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 31412cbf70..5cb75edf3f 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -226,7 +226,7 @@ or a set of identities; it can take five forms:
 .B dn[.<dnstyle>]:<pattern>
 .RE
 .RS
-.B u[<mech>[<realm>]]:<pattern>
+.B u[.<mech>[/<realm>]]:<pattern>
 .RE
 .RS
 .B group[/objectClass[/attributeType]]:<pattern>
@@ -314,7 +314,8 @@ to explicitly set the type of identity specification that is being used.
 A subset of these rules can be used as third arg in the 
 .B authz-regexp
 statement (see below); significantly, the 
-.I URI
+.IR URI ,
+provided it results in exactly one entry,
 and the
 .I dn.exact:<dn> 
 forms.
@@ -322,8 +323,10 @@ forms.
 .TP
 .B authz-regexp <match> <replace>
 Used by the authentication framework to convert simple user names,
-such as provided by SASL subsystem, to an LDAP DN used for
-authorization purposes.  Note that the resultant DN need not refer
+such as provided by SASL subsystem, or extracted from certificates
+in case of cert-based SASL EXTERNAL, or provided within the RFC 4370
+"proxied authorization" control, to an LDAP DN used for
+authorization purposes.  Note that the resulting DN need not refer
 to an existing entry to be considered valid.  When an authorization
 request is received from the SASL subsystem, the SASL 
 .BR USERNAME ,
-- 
2.39.5