From ca52621c1beb690e0c4a897330c4a763d63e8268 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Thu, 18 Dec 2003 00:27:01 +0000
Subject: [PATCH] some notes on access required by proxyAuthz control; note
 that other controls may need different access privileges via, e.g.,
 backend_attribute() (syncrepl?)

---
 doc/man/man5/slapd.access.5 | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index f2bbcde75b..c01b7ce4ba 100644
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -584,6 +584,25 @@ access to the attribute holding the referral information
 (generally the
 .B ref
 attribute).
+.LP
+Some
+.B controls
+require specific access privileges.
+The
+.B proxyAuthz
+control requires
+.B auth (=x)
+privileges on all the attributes that are present in the search filter
+of the URI regexp maps (the right-hand side of the
+.B sasl-regexp
+directives).
+It also requires
+.B auth (=x)
+privileges on the
+.B saslAuthzTo
+attribute of the authorizing identity and/or on the 
+.B saslAuthzFrom
+attribute of the authorized identity.
 .SH CAVEATS
 It is strongly recommended to explicitly use the most appropriate
 .BR <dnstyle> ,
-- 
2.39.5