From f1698e30f52d9a8de5461166ee25283d28bbc057 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Mon, 4 Apr 2005 12:24:50 +0000 Subject: [PATCH] update diagnostics and man pages --- doc/man/man5/slapd.access.5 | 56 +++++++++++++++++++++++++++++++++---- servers/slapd/aclparse.c | 9 ++++-- 2 files changed, 58 insertions(+), 7 deletions(-) diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5 index 058239b9fb..cfc7427d2a 100644 --- a/doc/man/man5/slapd.access.5 +++ b/doc/man/man5/slapd.access.5 @@ -233,6 +233,14 @@ It can have the forms dn[.[,]]= dnattr= + + realanonymous + realusers + realself[.] + + realdn[.[,]]= + realdnattr= + group[/[/]] [.]= peername[.]= @@ -246,7 +254,8 @@ It can have the forms tls_ssf= sasl_ssf= - aci= + aci[=] + dynacl/name[.][=] .fi .LP with @@ -272,6 +281,11 @@ The wildcard .B * refers to everybody. .LP +The keywords prefixed by +.B real +act as their counterparts without prefix; the checking respectively occurs +with the \fIauthentication\fP DN and the \fIauthorization\fP DN. +.LP The keyword .B anonymous means access is granted to unauthenticated clients; it is mostly used @@ -601,12 +615,39 @@ The statement is undocumented yet. .LP The statement -.B aci= +.B aci[=] means that the access control is determined by the values in the .B attrname of the entry itself. +The optional +.B +indicates what attributeType holds the ACI information in the entry. +By default, the +.B OpenLDAPaci +operational attribute is used. ACIs are experimental; they must be enabled at compile time. .LP +The statement +.B dynacl/[.][=] +means that access checking is delegated to the admin-defined method +indicated by +.BR , +which can be registered at run-time by means of the +.B moduleload +statement. +The fields +.B +and +.B +are optional, and are directly passed to the registered parsing routine. +Dynacl is experimental; it must be enabled at compile time. +If dynacl and ACIs are both enabled, ACIs are cast into the dynacl scheme, +where +.B =aci +and, optionally, +.BR = . +However, the original ACI syntax is preserved for backward compatibility. +.LP The statements .BR ssf= , .BR transport_ssf= , @@ -617,7 +658,7 @@ set the minimum required Security Strength Factor (ssf) needed to grant access. The value should be positive integer. .SH THE FIELD The field -.B ::= [self]{|} +.B ::= [[real]self]{|} determines the access level or the specific access privileges the .B who field will have. @@ -633,7 +674,12 @@ The modifier allows special operations like having a certain access level or privilege only in case the operation involves the name of the user that's requesting the access. -It implies the user that requests access is bound. +It implies the user that requests access is authorized. +The modifier +.B realself +refers to the authenticated DN as opposed to the authorized DN of the +.B self +modifier. An example is the .B selfwrite access to the member attribute of a group, which allows one to add/delete @@ -662,7 +708,7 @@ access level disallows all access including disclosure on error. .LP The .B disclose -access level allows disclorure of information on error. +access level allows disclosure of information on error. .LP The .B auth diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index f82a577c3d..fddae6b13a 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -1987,13 +1987,18 @@ acl_usage( void ) " ::= [val[.]=] | , \n" " ::= | entry | children\n", " ::= [ * | anonymous | users | self | dn[.]= ]\n" + "\t[ realanonymous | realusers | realself | realdn[.]= ]\n" "\t[dnattr=]\n" + "\t[realdnattr=]\n" "\t[group[/[/]][.