ITS#5852

diff --git a/CHANGES b/CHANGES
index a01f2a7af899b1e7f6191c21bfd6d89dff035f59..04b58de4947e164aa05b3a03666533fc438faf9f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -61,11 +61,12 @@ OpenLDAP 2.4.14 Engineering
                Fixed uuid_create/uuid_unparse_lower detection (ITS#5905)
        Documentation
                admin24 added limits chapter (ITS#5818)
+               admin24 access-control clarify global ACLS (ITS#5851,ITS#5852)
                slapd-bdb/hdb expansion on dncachesize behavior (ITS#5721)
                slapo-constraint(5) example fix (ITS#5895)
                slap*(8) man pages should mention slapd-config (ITS#5828)
                slapd(8) document sid (ITS#5873)
-               slapd.access(5) clarify when global ACLS apply (ITS#5851)
+               slapd.access(5) clarify global ACLS (ITS#5851,ITS#5852)
                slapadd/cat/index(8) note -n 0 for slapd-config (ITS#5891)
                Added SEE ALSO slapd-config(5) to relevant man pages (ITS#5914)
 

diff --git a/doc/guide/admin/access-control.sdf b/doc/guide/admin/access-control.sdf
index b43ebc2319e0e308105a64759c9e3314b0f185d6..610467e71b317a87556a6b4c29834fad713dee61 100644 (file)
--- a/doc/guide/admin/access-control.sdf
+++ b/doc/guide/admin/access-control.sdf
@@ -219,7 +219,14 @@ an entry and/or attribute, slapd compares the entry and/or attribute
 to the {{EX:<what>}} selectors given in the configuration file.
 For each entry, access controls provided in the database which holds
 the entry (or the global access directives if not held in any database) apply
-first, followed by the global access directives.  Within this
+first, followed by the global access directives. However, when dealing with 
+an access list, because the global access list is effectively appended 
+to each per-database list, if the resulting list is non-empty then the 
+access list will end with an implicit {{EX:access to * by * none}} directive. 
+If there are no access directives applicable to a backend, then a default 
+read is used.
+
+Within this
 priority, access directives are examined in the order in which they
 appear in the config file.  Slapd stops with the first {{EX:<what>}}
 selector that matches the entry and/or attribute. The corresponding
@@ -304,9 +311,12 @@ are also under {{EX:dc=com}} entries.
 
 Also note that if no {{EX:access to}} directive matches or no {{EX:by
 <who>}} clause, {{B:access is denied}}.  That is, every {{EX:access
-to}} directive ends with an implicit {{EX:by * none}} clause and
-every access list ends with an implicit {{EX:access to * by * none}}
-directive.
+to}} directive ends with an implicit {{EX:by * none}} clause. When dealing
+with an access list, because the global access list is effectively appended 
+to each per-database list, if the resulting list is non-empty then the access 
+list will end with an implicit {{EX:access to * by * none}} directive. If
+there are no access directives applicable to a backend, then a default read is
+used.
 
 The next example again shows the importance of ordering, both of
 the access directives and the {{EX:by <who>}} clauses.  It also
@@ -635,7 +645,14 @@ to the {{EX:<what>}} selectors given in the configuration.  For
 each entry, access controls provided in the database which holds
 the entry (or the global access directives if not held in any database) apply
 first, followed by the global access directives (which are held in
-the {{EX:frontend}} database definition).  Within this priority,
+the {{EX:frontend}} database definition). However, when dealing with 
+an access list, because the global access list is effectively appended 
+to each per-database list, if the resulting list is non-empty then the 
+access list will end with an implicit {{EX:access to * by * none}} directive. 
+If there are no access directives applicable to a backend, then a default 
+read is used.
+
+Within this priority,
 access directives are examined in the order in which they appear
 in the configuration attribute.  Slapd stops with the first
 {{EX:<what>}} selector that matches the entry and/or attribute. The
@@ -720,10 +737,11 @@ would never be reached, since all entries under {{EX:dc=example,dc=com}}
 are also under {{EX:dc=com}} entries.
 
 Also note that if no {{EX:olcAccess: to}} directive matches or no {{EX:by
-<who>}} clause, {{B:access is denied}}.  That is, every {{EX:olcAccess:
-to}} directive ends with an implicit {{EX:by * none}} clause and
-every access list ends with an implicit {{EX:olcAccess: to * by * none}}
-directive.
+<who>}} clause, {{B:access is denied}}.  When dealing with an access list, 
+because the global access list is effectively appended to each per-database 
+list, if the resulting list is non-empty then the access list will end with 
+an implicit {{EX:access to * by * none}} directive. If there are no access 
+directives applicable to a backend, then a default read is used.
 
 The next example again shows the importance of ordering, both of
 the access directives and the {{EX:by <who>}} clauses.  It also

diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5
index e6cb8ae95a5e3a2404753e54d524b80460c613ac..34b2eede2629c668563c3e9cfe45f9ca4451f9c8 100644 (file)
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@@ -54,7 +54,15 @@ are then used.
 If no access controls are present, the default policy
 allows anyone and everyone to read anything but restricts
 updates to rootdn.  (e.g., "access to * by * read").
-The rootdn can always read and write EVERYTHING!
+.LP
+When dealing with an access list, because the global access list is 
+effectively appended to each per-database list, if the resulting 
+list is non-empty then the access list will end with an implicit 
+.B access to * by * none
+directive. If there are no access directives applicable to a backend, 
+then a default read is used.
+.LP
+.B Be warned: the rootdn can always read and write EVERYTHING!
 .LP
 For entries not held in any backend (such as a root DSE), the
 global directives are used.